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Executive Summary 


The goal of this research was to integrate a previously validated and reliable 
predictive safety model, called Continuous Hazard Tracking and Failure Prediction 
Methodology (CHTFPM), into a software application. This led to the development of a 
predictive safety management information system (PSMIS). This means that the theory or 
P P les ofthe CHTFPM were incorporated in a software package; hence, the PSMIS is 
also referred to as CHTFPM management information system (CHTFPM MIS). The 
purpose of the PSMIS is to reduce the time and manpower required to perform predictive 
safety studies as well as to facilitate the handling of enormous quantities of information 
involved in this type of studies. The CHTFPM theory encompasses the philosophy of 
looking at the concept of safety engineering from a new perspective: from a proactive, 
rather than a reactive, viewpoint. That is, corrective measures are taken before a problem 
occurs, instead of after it happened. That is why the CHTFPM is a predictive safety 
approach because rt foresees or anticipates accidents, system failures and unacceptable 
risks; therefore, corrective action can be taken in order to prevent all these unwanted 
issues. Consequently, safety and reliability of systems or processes can be further 
improved by taking proactive and timely corrective actions. 
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Chapter 1 


1. INTRODUCTION 

This chapter emphasizes the need to look at the concept of safety engineering 
from a new perspective: from a proactive, rather than a reactive, point of view. That is, 
remedial action should be taken before the fact, instead of after the fact, resulting in safer 
and more reliable systems or environments in the workplace. For this reason, predictive 
risk analyses have come into an increasing role in providing the most meaningful and 
useful information regarding system assessment and system safety (Cooper, 1998). A 
predictive safety model for prevention of accidents and system failures, called 
Continuous Hazard Tracking and Failure Prediction Methodology (CHTFPM), served as 
the foundation for the development of a predictive safety management information 
system (PSMIS). This research incorporates the CHTFPM into a software package with a 
system’s safety decision support structure. 

In Section 1.1, the problem is identified concerning the lack safety in industry. A 
description of the problem currently faced is given in Section 1.2. The classification of 
the problem is described in Section 1.3, followed by Section 1.4 which provides the 
rationale for investigating and solving the problem. Section 1.5 gives a brief overview of 
the case study scenario that was analyzed in order to test the PSMIS. In Section 1.6, the 

scope and purpose of the research is defined. At the end of this chapter, Section 1.7 
delineates the organization of the project report. 
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1.1 Problem Statement 

The presence of hazards in the work environment may cause numerous accidents 
which may lead to personnel injuries or system malfunctions; this happens due to lack of 
safety. Many work related injuries transpire in industry every year. A case in point, just in 
1992, a total of 6.8 million injuries and illnesses were reported in private industry 
workplaces resultmg m 60 million lost workdays, according to a survey by the Bureau of 
Labor Statistics, U.S. Department of Labor. Consequently, US employers incurred more 
than $60 billion in direct workers’ compensation costs in 1992 (Quintana et al., 2001). In 
addition, counting costs such as production delays, damage to equipment, recruitment and 

training of replacement workers brought the total cost for the year to approximately $350 
billion (Olsen, 1993). 

The Occupational Safety and Health Administration (OSHA) requires employers 
to provide safe and healthful working conditions for every working man and woman; this 
is a mandatory regulation under Public Law 91-596 which is officially known as the 
Occupational Safety and Health Act of 1970. However, the above facts demonstrate that 
there is a tremendous lack of safety in the workplace; therefore, there is still much room 
for improvement in the present system safety programs being used in industry today. That 
is why predictive safety is a key point to be included as part of a preventative safety 
programs in order to ameliorate or eliminate some of these expensive problems. 

Additionally, not many studies in predictive safety are seen in the literature; 
thereby, there are not many existing predictive safety software products, but recently, 
there has been a considerably growth of predictive safety models. Nonetheless, such 
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models serve to conduct safety assessments from a reactive (after-the-fact) point of view 
but not from a predictive or proactive perspective; this means that accident causes are 
investigated after an incident has taken place to determine what must be done to predict 
and prevent similar situations. 

1.2 Problem Description 

Accidents or system malfunctions do not happen unless a hazard exists (Marshall, 
1982). Thereby, the tracking of safety hazards is essential to predictive safety, but present 
system safety methods typically do not do this (Cooper, 1998). These safety programs are 
usually established piecemeal, based on an after-the-fact philosophy of accident 
prevention (Roland and Moriarity, 1983). As an illustration, when an accident or system 
malfunction occurs, an investigation is conducted to determine the causes. The relevant 
causes are then reviewed and discussed to determine what must be done to prevent 
similar accidents or malfunctions. Finally, the resulting system modifications or 

corrections of design safeguards or procedures are made to existing systems (Quintana et 
al., 2001). 

What is required is a method or an approach that indicates if the system under 
consideration is becoming hazardous; this information would help to check and eliminate 
the hazard before accidents can happen. The CHTFPM is an approach that alerts systems 
personnel of unsafe situations that could lead to mishaps. The CHTFPM is a new 
predictive safety concept which involves a planned, systematically organized, and before- 
the-fact process characterized as the identify-analyze-control method of safety. This 
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predictive safety model uses the principles of work sampling and control charts, the keys 
to track hazards (Quintana et al., 2001). 

In order to trace hazards, it is imperative to identify the core or unsafe conditions 
that can potentially originate them. These core conditions are the building blocks of 
hazards and can be termed dendritic elements. Dendrite is a word use by materials 
scientists to describe the microstructure of the building blocks of metals (Mangonon, 
1999). The development or expansion of multiple dendrites is called dendritic growth, 
hence the term dendritic elements or simply dendritics. Thus, the dendritics form the 
basis for performing continuous safety sampling to evaluate whether the system is 

becommg hazardous, so that proactive actions can be taken to avoid accidents or system 
failures. 

Besides the lack of predictive safety models that are proactive, these are not 
offered or do not exist in a software application. Therefore, the necessity for developing 
satisfactory analysis and predictive methods for software is extremely acute that much 
research, effort, and money continues to be spent (Davies et al., 1987). There are, 
however, some statistical softwares that employ control charts to determine the stability 
of a process or system. Unfortunately, such computer programs do not include the 
predictive safety portion, which is the identification of dendritics — the building blocks of 
hazards , and a self-contained, safety focused decision support structure. 

1.3 Problem Classification 


The problem described in Section 1.2 can be classified as a safety computer 
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system challenge, for an integrated safety software application is a project that is difficult 
because of the elaboration time it demands (Wrench, 1990). Furthermore, Wrench (1990) 
clarifies that the development of a safety management information system (MIS) requires 
sophisticated technology and design of databases, skilled progr ammin g and software 
design experience. As a result, this kind of problem encompasses an elementary theme. 

The fundamental subject is that the development of a safety software application 
must be a team effort. In addition, the team should be comprised of computer software 
professionals and safety professionals (Wrench, 1990), which is the pattern followed in 
this research. Two graduate students formed the project group; one is a computer science 
major and the other one is a manufacturing engineering major (specialized in safety 

engineering). The computer scientist focused on the design aspect of the software 

structure, format, presentation, etc . — while the safety specialist contributed with the 
predictive safety part of the software, which is the main topic of this project. 

1.4 Rationale for Solving Problem 

The goal of this research was to make available the CHTFPM in an easy-to-use 
electronic MIS. This means that the theory behind the CHTFPM was integrated in a 
single computer program. The intent was that the PSMIS would carry out all 
computations automatically in order to facilitate to the user the planning, tracking, 
control, management and prediction germane to a system’s safety project. Additionally, 
the safety status of a system can promptly be known. This signifies that the analyst has a 
rapid response to system changes because the user is seeing the effects of the system 
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almost immediately (Mackie, 1998). Moreover, faster preventative safety measures can 
be adopted, ensuing in a quicker elimination of the hazard. 

It is evident that an integrated MIS approach offers many advantages over hand 
computations and even traditional computer programs, like Microsoft Excel, that helps in 
performing calculations and analyzing information. The aspect of this approach makes it 
easier to exercise control over the calculation processes (Mackie, 1998); furthermore, the 
most important benefit is the richer data handling capabilities that are available (Mackie, 
2001). Even though the idea of incorporating the CHTFPM into a software packet sounds 
attractive, it is not a simple job. Designing a dependable software system that is able to 
deliver critical services with a high level of confidence is not an easy task (Kaaniche et 
al., 2002), especially if there are not many predictive safety software applications 
available that can act as a benchmark. For this reason there is an urgent necessity of 
developing an integrating predictive safety management information system (PSMIS). 


1.5 Industrial Scenarios Analyzed 

The CHTFPM can be utilized in any industrial scenario in general since it is 
robust and, hence, is broadly applicable. To demonstrate the potential utility of the 
CHTFPM MIS, it will be tested using two previous predictive safety studies. One of the 
investigations was carried out at NASA Marshall Space Flight Center (MSFC) to analyze 
the promoted combustion testing chamber operations. The other one was done on the 
hoisting operation, testing and preparation of four high-pressure gas tanks (HPGTs) at 
NASA Kennedy Space Center (KSC). 
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The first preventative safety research was performed at the Material Combustion 
Research Facility located in MSFC where the system under scope was the promoted 
combustion testing chamber, depicted in Figure 1.1. Specimens were loaded into a 
promoted combustion testing chamber. Ordinarily, the test samples are 1/8-inch diameter, 
12-inch rods of metal or alloy, although the chamber allows up to 18-inch rods. 
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Figure 1: Cross section of the promoted combustion testing chamber. 
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After initial placement of the test sample into the promoted combustion chamber, 
an aluminum igniter is attached to the sample. The chamber is then filled with 100 
percent gaseous oxygen (GOX) bringing the chamber up to the desired test pressure, a 
maximum of 10,000 pounds per square inch (psi) is allowed. The sample is ignited and 
allowed to bum. A carbon dioxide laser provides an alternate ignition method if so 
desired. After the samples were ignited, the bum length of each sample was recorded. A 
bum length of more than 6 inches on any one sample constitutes failure of the material. 

The second proactive safety project is based on four gaseous tanks that were part 
of a shuttle mission. On July 12, 2001, NASA launched the space vehicle U.S. shuttle 
Atlantis: STS-104 mission with flight crew 7A aboard. The five-member crew would 
install a new joint airlock as well as two oxygen and two nitrogen gas storage tanks on 
the International Space Station (ISS). Figure 1.2 shows the joint airlock and the four 
HPGTs being loaded in the cargo bay of the Atlantis shuttle at KSC. 



Figure 1.2: Joint airlock and HPGTs located in the cargo bay of the shuttle at KSC. 
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The new joint airlock would enable crews to perform space walks without the 
presence of a shuttle while recovering over 90 percent of the gases that were previously 
lost when airlocks were vented to the vacuum of space. The four high-pressure gas tanks 
(HPGTs) would serve to support future station experiments and space walks 
(http://www.pa o.ksc.nasa.gov/shuttle/summaries/sts1 (H/indre htrrA 

The HPGTs, were especially made by a private contractor and tested before being 
delivered to NASA KSC. In order to insure 100% reliability of each individual tank, the 
staff at KSC decided to again submit the four tanks under more rigorous tests on various 
aspects such as pressure and temperature limits, proper functioning of the tanks in 
general, etc. During these kinds of tests, the HPGTs had to be moved from one place to 
another within the same building with a hoist. Thus, the tanks had to be hoisted with 
extreme care in order to be displaced to different locations; that is why the hoisting 
operation was also a substantial aspect of this particular project. 

1.6 Scope and Purpose of Research 

The main objective of this research is to develop a computer program that will 
facilitate the lengthy and tedious process of predictive a safety management. This 
software system will have included the underlying theory of the CHTFPM. A secondary 
objective is to make the PSMIS an easy-to-use program, which implies that it must 
contain a friendly-user interface, so the analyst can navigate through the program in a 
simple manner. Another objective is that the CHTFPM MIS can provide the user with 
charts, diagrams and results that are quickly and accurately interpreted. 
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Coupled with the objectives previously stated, the goal of this study is to validate 
the performance of the PSMIS by testing it using the two case scenarios described 
previously. The efficiency of the software application will be determined mainly by the 
time and number of persons required to complete each research study without the aid of 
the CHTFPM MIS relative to when it was employed. Moreover, the same information 
collected pertaining to the studies expressed in Section 1.5 will be utilized in the 

CHTFPM MIS to observe if the same results are achieved, which have been previously 
validated. 

1.7 Organization of the Project Report 

This project report is partitioned in five chapters. Chapter 1 has been already 
explained, which introduced the current problem that is being faced and the approach that 
will be taken to solve such challenge. Chapter 2 gives a detailed review on the literature 
pertinent to predictive safety models as well as present software programs, along with 
their attributes associated with preventative safety. Chapter 3 describes all the 
components of both the CHTFPM theory and the PSMIS. 

Chapter 4 depicts the implementation and evaluation of the PSMIS by comparing 
the results of the PSMIS with the ones obtained in the original studies and by showing the 
efficiency of the PSMIS in terms of time and manpower (persons) needed to finish the 
projects. Finally, Chapter 5 provides the conclusions and recommendations that will help 


for future research. 


Chapter 2 


2. LITERATURE REVIEW 


This chapter consists of the literature pertaining to existing software associated 
with safety models and issues, such as predictive safety, hazard tracking and control 
charts. Specifically, the most pertinent subjects related to safety analysis will be covered, 
especially aspects in the work environment and industry. In addition, the concept of 
safety models that predict accidents will be studied; that is, safety methods that serve to 
prevent accidents or system failures before they occur. 

2.1 Introduction 

This chapter begins with a discussion of the concept of system safety in Section 
2.2. Section 2.3 covers literature related to hazard analysis with its corresponding salient 
topics: PHA, FMEA and Barrier analysis. Section 2.4 describes the concept of risk 
analysis and risks classifications. In Section 2.5, the theory of predictive safety is 
discussed extensively with some predictive safety models as examples; this section, 
additionally, includes a description of the CHTFPM and its components— dendritic 
construction, work sampling and control charts. Finally, Section 2.6 provides information 
of existing computer predictive safety software. 
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2.2 System Safety 

The presence of hazards in the work environment may cause numerous accidents 
which may lead to personnel injuries and system failures; this happens due to lack of 
safety. For this reason, safety is an essential consideration for all projects (Cheng et ai, 
2002). System safety is an element of systems engineering involving the application of 
scientific and engineering principles for the timely identification and control of hazards 
within the system (Preyssl, 1995). 

The safety of the employees and the customers is a principal factor in any process; 
that is why the use of system safety programs has grown considerably in the work 
environment. Thereby, many industries focus on the safety engineering aspect or their 
processes by employing methods and techniques to ensure the safety requirements for the 
system are met (Spalding, 1998). For instance, some companies implement in then- 
facilities safety assessments as part of their system safety programs. 

A safety assessment evaluates the safety of the project’s output (typically systems 
or equipment). Assessments are aimed at providing confirmation or otherwise of the 
project’s safety claims. Additionally, they provide evidence for the safety case and should 
be viewed as assistance to the project providing necessary confidence as to the integrity 
of the system (Spalding, 1998). A pertinent reason of why safety assessments are part of 
system safety programs is to assure that any system does not produce an intolerable 
degree of risk. There are many different types of safety assessment techniques that assist 
in identifying hazardous conditions and risks becoming intolerable; some of the most 
commonly known practices are hazard analyses and risk analyses. 
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2.3 Hazard Analysis 

According to Lee et al. (1998), new hazards do arise: they must be identified, the 
risks assessed and managed. Hazard identification should be used at each stage of any 
development or process. In some cases, as the procedure advances in an operation, more 
detailed assessment of hazard have to be performed. Once recognized, by an ongoing or 
periodic process of review and reporting, the systems personnel must assess the risks 
arising from the hazards (Lee et al., 1998). Wherever achievable, hazards should be 
eliminated. Nevertheless, where this is not possible, then the primary means of risk 
reduction is to ameliorate the likelihood of the hazard occurring or to minimize the 
severity of the accident. There must be a systematic identification and analysis of hazards 
related to the system (Spalding, 1998). Thereupon, the following techniques are essential 
steps in a hazard analysis: 

1. Preliminary Hazard Analysis (PHA). 

2. Failure Mode and Effect Analysis (FMEA). 

3. Barrier Analysis. 

2.3.1 Preliminary Hazard Analysis 

A preliminary hazard analysis (PHA) or hazard identification is a systematic, 
creative examination of a process or function performed to traverse a representation of 
the parts of the system and their interactions (Spalding, 1998), either with other 
components or the operators. PHA provides an initial risk assessment of a system, 
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identifies safety critical areas, evaluates hazards, and identifies the safety design criteria 
to be used (Grimaldi and Simonds, 1989). The PHA effort should thus commence during 
the initial phases of system development, or in the case of a fully operational system, at 
the initiation of a safety evaluation (Quintana et al., 2001). 

In this stage of the investigation, the system is analyzed at the top level to derive a 
list of hazards that might be exhibited. Hazard identification is typically carried out using 
brainstorming, checklists and/or hazard study techniques. It is also imperative for 
credibility that the assessor has the appropriate expertise to assess the project technically. 

Thereafter, the evaluator considers the process intention of each component in 
turn and by applying a list of guided words attempts to reveal plausible deviations or 
anomalies from the process purpose (Spalding, 1998). The hazards associated with the 
proposed design or function are identified and evaluated for potential hazard severity, 
probability, time of exposure, and hazard classification (Quintana et al., 2001). As a 
consequence, engineering and/or administrative controls as well as other measures 
deemed necessary to eradicate or decrease unsafe conditions to a tolerable degree should 
be contemplated and recorded. 

2.3.2 Failure Mode and Effect Analysis 

This phase of the procedure analyzes the system at more detailed levels to derive 
the cause-effect chains that could lead to the hazards. The failure mode and effect 
analysis (FMEA) is a common technique employed in causal analysis in order to 
determine the credible combinations or sequences of causal factors which can lead to 
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hazardous situations. The FMEA requires a hierarchical breakdown of the system’s 
structure of functionality (Spalding, 1998). 

If a possible risk continues unnoticed by the PHA, the FMEA should help in 
detecting it. FMEA provides further analysis at the lowest level for hazards identified in 
the PHA and can even identify hazards caused by failures that may have been previously 
overlooked by the PHA. With FMEA, the analyst chooses a level of the hierarchy to start 
at, considers components or issues at a detailed level of the hierarchy and records their 
failure modes along with causes and effects in tabular form (British Standards Institution 
[BSI], 1991). The failure effects of these subcomponents then become failure modes of 
components at the next higher level. The procedure may be repeated to yield the 
individual failure modes of the entire system (Spalding, 1998). 


2.3.3 Barrier Analysis 

At this step of the process, the trace of a threat that could lead to an accident is 
analyzed. A barrier analysis is utilized to determine the condition and final consequences 
arising from the identified hazards (Spalding, 1998). In addition, a barrier analysis looks 
at these potential sources of problems or hazards as well as how the harm or damage 
occurred (Wilson et al., 1993). Moreover, it also examines any root cause of the problem 
or unwanted event by assessing the adequacy of any installed barriers or safeguards that 
should have prevented, or at least mitigated, its occurrence (Quintana et al., 2001). 

Barrier analysis defines the basic elements or an undesirable event or problem as 
the following (Wilson et al., 1993): 
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1 . The threat or hazard that does the harm 

2. The people or thing (target) that is harmed 

3. The barrier(s) that could have or should have prevented the threat from reaching 
the target 

4. The path or trace by which the threat reached the target 

There are two kinds of barriers: paper barriers and physical barriers. Paper 
barriers may be procedures— norms, standards, rules, etc.— that should be followed when 
performing a task. On the other hand, physical barriers may be material objects — special 
tools, safeguards, protective equipment, etc. — that serve as an obstacle to prevent the 
operator from reaching or going into an unwanted location. It is evident from the 
diversity of barriers available for restraining a threat that some barriers will be more 
successful than others in providing protection against hazards. 

2.4 Risk Analysis and Demerit Scheme 

A risk analysis may be performed quantitatively, qualitatively or comparatively 
according to the information available. In any case, the purpose of a risk analysis is to 
ascertain whether or not the risk has been reduced o a tolerable level or whether further 
activities are recommended to minimize it further (Spalding, 1998). The risk levels of 
safety systems are described in the legal framework set out by the Health and Safety 
Executive (HSE) in 1992 as follows: 

1. Intolerable risks. These are risks that are not acceptable under any circumstances. 

2. Negligible risks. These are risks that have been reduced to such a low level that no 
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further precautions are deemed necessary; the risks is acceptable as is stands. 

3- Tolerable risks. These are risks that fall between the two previous categories, where 
the risk is acceptable as long as it has been decreased to the lowest level practicable, 
bearing in mind the benefits flowing from its acceptance and taking into account the 
costs of further reduction. 

Put in another way, the different types of risks can be further classified into more 
specific categories or classes according to the acuteness of the defect. Furthermore, one 
of the objectives of the risk analysis is to quantify uncertainty and to apply a severity 
factor to it (Kaplan, 1991). 

To quantify uncertainty, a numerical scale is established which is called frequency 
distribution. A frequency distribution reflects the variability of a parameter over a 
population. In principle, a frequency distribution is measurable by sampling the 
population (Montgomery, 1996). 

Severity refers to the impact of loss in terms of destroyed product, loss in dollars, 
damaged equipment/machinery, or degree of physical impairment (Kaplan, 1991). In 
addition, severity may be time dependent, it may be uncertain, or it may be both time 
dependent and uncertain. Using the factors of frequency and severity, a risk analysis 
develops classes of severity and frequency; these classes are used to rank the relative risk 
of various events. In this research project, a demerit scheme divided in four classes was 
employed to classify the dendritics according to their severity. The demerit scheme used 
in this study was the same as the one recommended by Montgomery (1996), which is the 
following: 
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!• Class — A — defects Very serious. This type of defect will render the unit unfit for 
service. It will surely cause operating failure of the unit in service that cannot be 
readily correct on the job and is liable to cause personal injury or property damage. 

2- Class — B — defects — Serious. This defect will probably, but not surely, cause a 
Class A operating failure of the unit in service. It will cause trouble of a na ture less 

than Class A operating failures and will cause increased maintenance or decreased 
life. 

3. Class “C” defects - Moderately serious. A Class C defect could possibly cause 
operating failure of the unit in-service and is likely to cause trouble of a nature less 
serious than operating failure as well as increased maintenance or decreased life. 

4* Class — D — defects — Not serious. This defect will not cause operating failure of the 
unit in service but does account for minor defects of appearance, finish, or 
workmanship. This type of defect accounts for major defects of appearance, finish, 
or workmanship. 

Once all defects or nonconformities are established, they can be grouped in such a 
way as to accurately portray the seriousness of a defect when compared to others. By 
categorizing the nonconformities (dendritics) into classes, the necessary corrections can 
be better directed to the dendritics that require immediate attention, according to their 
severity. 

2.5 Predictive Safety 

Regarding predictive safety studies, there has not been much research directed 
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towards predictive safety, but many parallels to predictive safety can be drawn from the 
subject of predictive maintenance or predictive reliability. The escalating operation and 
maintenance costs of modem manufacturing processes have caused a search for ways to 
reduce costs while maintaining a high level of safety and reliability (Johnson, 1995). A 
predictive maintenance program is a tool that addresses this problem — sustaining safety 
and reliability at a low cost and has become widely accepted throughout industry 
(Shreve, 1996). Additionally, the concept of measuring or foreseeing the failure of a 
machine component is the central idea of predictive maintenance. 

Under a predictive maintenance program, conditions that cause loss of function or 
impaired performance of a component or system are identified and monitored. Hence, a 
corrective action plan can be carried out in the case that these conditions are occurring, 
thereby limiting actual in-service failures or failures to operate on demand (Johnson, 
1995). In order to apply predictive maintenance to a structure, system, or component, the 
failure modes and mechanism associated with these entities must be identified and 
understood. This information is essential to ensure that the proper conditions are being 
monitored for effective maintenance (Chelbi and Ait-Kadi, 1998). 

Just as in predictive maintenance, a predictive safety program must also identify 
the failure modes and mechanisms associated with system failures. The different failure 
modes and mechanisms that need to be identified are the building blocks of hazards; 
these building blocks of hazards are called dendritic elements. Dendrite is a term use by 
matenals scientists to describe the microstructure building blocks of metals (Mangonon, 
1999). The development or expansion of multiple dendrites is called dendritic growth, 
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hence the name dendritic elements or simply dendritics. 

In an effort to implement an analogy, the materials science term dendrite 
(dendritic) is employ in predictive safety to represent the cornerstone of hazards. More 
exactly, the dendritics recognize the initial cause that gives birth to a hazard. That is why 
dendritics are essential factors in forecasting safety studies because they assist in 
identifying hazards; subsequently, they can be eliminated before taking place. Further, 
hazard and risk analyses act as powerful tools in recognizing these dendritics in a system, 
which may lead to a hazard; more important, the tracking of safety hazards is essential to 
predictive safety (Quintana et ah, 2001). The relationship between these two 
investigations is that risks arise from hazards; that is, a hazard imports a level of risk. 

Once recognized, by an ongoing or periodic process of review and reporting, risks 
arising from the hazards can be assessed. Furthermore, corrective action can be taken in 
order to prevent any risk before occurring. In other words, these tools alert systems 
personnel of unwanted situations; therefore, these safety approaches aid in predicting 
system failures or accidents. This means that the risk, thus the probability of an accident, 

imported by a hazard can be prevented before occurring, resulting in a predictive and 
preventive safety action. 

Zissler (1996) notes that after a failure impact is determined, there must be a 
means to quantify or measure parameters that will indicate the hazardous condition of the 
equipment being monitored. However, choosing which parameters to measure is often the 
difficult portion of implementing the predictive safety program (Chelbi and Ait-Kadi, 
1998). These parameters are discerned by constantly monitoring the system for the 
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occurrence of specified conditions or dendritics which in return could lead to hazards or 
unacceptable risks. Once the parameters are chosen, the questions of how, when and 
where to take such readings must be addressed and determined; all these points provide 
the information required to commence the predictive safety plan. 

2.5.1 Predictive Safety Models 

As was pomted out earlier, a modest amount of research is found in the literature 
on predictive safety issues. However, these types of studies have been gradually 
increasing in the last couple of years since they are a potent, cost-effective tool. 
Predictive risk (safety) analyses have come into an increasing role in providing the most 
meaningful and regarding system assessment and system safety (Cooper, 1998). An 

advantage of predictive safety models is that they are applicable to many case scenarios 
and are thus robust. 

For instance, the implementation of these predictive safety analyses may include, 
but not limited to: issues in chemical/nuclear plants, environmental issues, traffic 
incidents and not to mention industrial/manufacturing process. These steadily-rising 
models contain similar characteristics which serve to obtain a common goal, predict 

accidents, yet some of this methods lack in one or more fundamental elements of the 
prediction aspect. 

For instance, accident prediction models for urban junctions and road links were 
developed recently and presented in an article named “Accident prediction models for 
urban roads” (Greibe, 2002). Such models are explained in “Uheldsmodel for bygader- 
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Dell : Modeller for 3-og 4-benede kryds. Notat 22, The Danish Road Directorate” (Greibe 
and Hemdorff, 1995) and “Uheldsmodel for bygader-Del2: Modeller for straekninger. 
Notat 59, The Danish Road Directorate” (Greibe and Hemdorff, 1998). 

The main objective of these models is to predict the expected number of 
accidents at urban junctions and road links as accurate as possible. In order to develop the 
models, detailed information on accident data, traffic flow and road design was collected 
from the official accident statistics database covering all police recorded accidents 
(Greibe, 2002). These models used information that was previously recorded for 
estimating accident prediction. 

This kmd of data acquisition demonstrates that the data employed in the 
calculations were not current, and thus did not provide up-to-the-minute results. 
Moreover, these accident prediction programs take a reactive, instead of a proactive, 
approach to predict or prevent similar anomailies. In other words, when an accident 
arises, an investigation is conducted to determine the causes. The relevant causes are then 
reviewed and discussed to determine what needs to be done to prevent similar accidents. 

These safety programs are usually established piecemeal, based on an after-the- 
fact philosophy of accident prevention (Roland and Moriarity, 1983). The tracking of 
safety hazards is essential to predictive safety, and present system safety methods 
typically do no do this (Cooper, 1998). In addition, these models did not employ control 
charts, the keys for predictive safety (Quintana et al, 2001), to determine if the roads 
were operating under the presence of hazards. 
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Another example of a predictive safety method is a safety monitoring model 
which evaluated the performance of road programs. This model was described in a 
published paper labeled “Monitoring performance of road programmes in New Zealand” 
(Guria and Mara, 2000). Such approach was based on developing a control chart system 
to identify the occurrence of actual risk changes or deviation from the expected level. In 
addition, these control charts were utilized to monitor fatalities. Unlike the previous 
models described, this one employed new real time data to perform the analysis. The data 
was incorporated in the control charts to identify the risk changes, so that necessary 
measures could be undertaken. 

Nonetheless, an inconvenience of this model is that charts can be developed on 
monthly or weekly basis. Monthly charts have an advantage of a longer period of time 
during which the random ups and downs are smoothed; this issue is particularly 
important for fatalities. However, a disadvantage is that it takes a long period of time to 
get an indication of any risk changes. Weekly charts, on the other hand, have the 
disadvantage of short time period. A crash with relatively large number of deaths 
indicates occurrence of an unexpected phenomenon while its occurrence is possible due 
to randomness. This needs to be taken into consideration while interpreting the charts. 

An advantage of the weekly chart, relative to the monthly chart, is that within a 
few weeks it provides an indication of any risks changes. However, although this 
monitoring safety model utilizes up to date information and control charts to spot any 
variations in road safety, it still has the disadvantage of not giving descriptive safety 
statistics of a system on a daily basis. This means that a considerably amount of time has 
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to pass by in order to obtain any valuable insight on the safety status of a system, even 
when weekly charts are used. 

Therefore, a more complete and reliable predictive safety model that has been 
developed, entitled Continuous Hazard Tracking and Failure Prediction Methodology 
(CHTFPM), will be employed in this research because it addresses the lacking traits of 
existing predictive safety models. Some missing attributes of present anticipatory safety 
models which are met by the CHTFPM are utilizing real-time or current data, making use 
of control charts to determine the safety status of the system, and providing those 
diagrams almost immediately, even on a daily basis. Moreover, the CHTFPM predicts 
accidents and systems failures before they reach the user or affect the system. 

2.5.2 CHTFPM 

The Continuous Hazard Tracking and Failure Prediction Methodology 
(CHTFPM) is a predictive safety model. It involves a process that is well planned, 
systematically organized, and before-the-fact and which is characterized as the identify- 
analyze-control method of safety (Quintana et al, 2001). This methodology looks at the 
concept of safety from a proactive, rather than a reactive, perspective; that is, remedial 
action is taken before the fact, instead of after the fact. The way the model achieves the 
previous objective is by tracking a system for the occurrence of conditions becoming 
unsafe. Then it alerts safety managers or systems personnel of the hazardous conditions 

previous to happening; therefore, corrective action can be taken before the risks activate, 
hence, resulting in a proactive safety measure. 
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As was mentioned in Section 2.5, the dendritics have to be defined prior to the 
implementation of the predictive safety plan, in this case the CHTFPM. Spotting the 
proper dendritics is critical for implementing an effective CHTFPM. The CHTFPM 
utilizes established system safety tools as the ones mentioned in Section 2.3-PHA, 
FMEA and barrier analysis— for detecting the dendritics. The CHTFPM relies heavily on 
these methods for an initial risk assessment of the system and subsequent breakdown and 
analysis of system hazards to determine what the building blocks, or dendritics, of the 
associated hazards are. The dendritics form the foundation for using the CHTFPM to 

determine whether the system is becoming hazardous. Figure 2.1 shows the CHTFPM 
plan. 



Figure 2.1: Schematic of the CHTFPM (Quintana et al., 2001). 
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It is important to emphasize that the effectiveness of the CHTFPM depends on the 
identification of the dendritics; these building blocks of hazards are use for performing 
the sampling study of a given system. In addition to the identification of dendritic 
elements, the CHTFPM utilizes concepts underlying the predictive approach to system 

which are derived from work sampling and control chart theories, the keys to tracking 
hazards (Quintana et al., 2001). 

2-5.2. 1 Dendritic Construction 

As was explained in Section 2.5, the dendritics have to be defined first in order to 
implement the CHTFPM. Recognizing the proper dendritics is critical for implementing 
an effective CHTFPM. Many of these dendritics or defects emerge due to human error. 
Accordmg to Marcombe (1993), accidents-injuries and the disruption of scheduled 
system operation caused by human element factors shows that the human element is a 
very significant factor affecting the safety of systems. Unfortunately, many system 
predictive methods are based solely on equipment failures neglecting the human 
interaction of man-machine systems (Koval, 1997). Therefore, it is enormously vital for 
credibility that the analyst has the appropriate expertise to assess the project not only 
technically but also taking into consideration the human interaction with the system. 

The CHTFPM employs the previously described PHA, FMEA and barrier 
analysis, for detecting the dendritics; that is, the CHTFPM strongly relies on these 
techniques for dendritic construction. The reason why the CHTFPM uses these 
approaches is because they can be applied to human factors analysis. Defining unsafe 
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behavior of operators is important when considering overall system safety. When 
constructing the dendritics for a given system, the human interaction with the system 
cannot be ignored and must be included (Carnet, 1999). 

The way the CHTFPM elaborates a list of dendritics is by analyzing and 
reviewing with detail each entry of the PHA, FMEA and barrier analysis. Afterwards, a 
preliminary dendritic list is formed by choosing the items that will lead to possible 
occurrences which could result in system failure or employee injury — sometimes the 
human is considered as the system. Finally, the initial dendritic record is double-checked 
for any repeating or similar elements and to enhance the wording of the items, ensuing in 
the concluding version of the dendritic list. Nevertheless, the final list of dendritics can be 
modified if more defects or hazardous conditions are found since undetected or new 
hazards may arise. As indicated by Lee et al. (1998), sometimes as the procedure 
advances in an operation, more detailed assessment of hazards has to be performed. 

2. 5.2.2 Safety Sampling 


Safety sampling or work sampling is originated from probability conditions. A 
work sampling investigation consists of a number of random observations taken at 
different intervals in time. CHTFPM utilizes the principles of monitoring, trending and 
pattern recognition to draw inferences. The CHTFPM model emphasizes the application 
of work sampling theory in order to prevent undue risks and accidents. According to 
Meister (1985), accidents are preventable. This prevention is hardly attained and is 
achieved by employing an immense amount of effort conducting periodic, thorough 
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inspections and vigilance on the part of operations supervisors. Nonetheless, avoidance of 
unwanted, grave situations can be less difficult if work sampling and control charts, 
taking advantage of the dendritics list, supplement safety inspections. 

The CHTFPM conducts work sampling in a random fashion, rather than at fixed 
periods of time, which is the way safety inspections are performed. Moreover, work 
sampling is used m the CHTFPM as a plain way to present a measure of the tendency of 
the system in a productive and cost-effective manner. Just as work sampling is used to 
give a measurement of over-all performance, the sampling in CHTFPM gives an over-all 
view of the safety status of the system under observation (Carnet, 1999). If the system 
exhibits symptoms of becoming harmful, then effective control measures can be carried 

to preserve a desired degree of safety; hence, resulting in prevention of an undesirable, 
severe consequence. 

2.5.2.3 Safety Control Charts 

The core of the CHTFPM is to monitor the system to identify the dendritics that 
lead to hazards. The control charts incorporate these dendritics into graphs to indicate if 
the system is out of control when the system is operating under the presence of these 
defects. In the predictive safety model CHTFPM, control charts are used to measure the 
tendency of a system when is becoming hazardous. After sampling is performed, a 
control chart is constructed graphically by means of a characteristic that has been 
measured or computed, with a predetermined level of safety. 
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The chart contains a center line that represents the average value of the quality 
characteristic corresponding to the in-control state (Montgomery, 1996). Two outer 
horizontal lines called the upper control limit (UCL) and the lower control limit (LCL) 
are also shown on the charts. These control limits are chosen so that if the system is in 
control, nearly all of the sample points will fall between them. If no points go outside the 
bands, it is not necessary to take corrective action. On the contrary, if a point is outside 
the bands or limits, it means that a hazard is present or that the system is out of control, 
requires immediate attention. Thus, the control charts are powerful instruments for 
stabilizing and controlling the system or process at desired operability levels. The 

advantages of control chart applications in industry are listed as follows (Montgomery, 
1996): 

1. Control charts are a proven technique for improving productivity. Just as control 
charts improve productivity, they are used to improve the safety status of a given 
system m the CHTFPM. The control chart provides the technique to evaluate 
system safety as well as measure the success of corrective actions. 

2. Control charts are effective in defect prevention. The control charts utilized by the 
CHTFPM are effective in hazard prevention. By detecting the conditions that lead 
to hazards, dendntics, the control chart provides the impetus to act and correct the 
conditions before hazardous conditions or unacceptable risks occur. 

3. Control charts prevent unnecessary process adjustment. The control charts in the 
CHTFPM indicate when corrective actions need to be taken, by indicating out-of- 
control situations, thus preventing unnecessary system adjustments. 


30 


4. Control charts provide diagnostic information. Analysis of the control charts in the 
CHTFPM can yield information on the safety status of the system under 
observation. By indicating when the system went out-of-control, the control chart 
actually directs the efforts of the system analyst in investigating the causes of 
accidents or system malfunctions. 

5. Control charts provide information about process capability. The control charts in 
the CHTFPM provide an overall view of system safety and give a good indication 
of the relative degree of safety that the system possesses. 

The control charts described previously are usually called Shewhart control 
charts, as they are based on the principles of control charts developed by Dr. Walter A. 
Shewhart (Montgomery, 1996). The signal that the process may be out of control, 
ignoring the use of runs testing, is the occurrence of a single point outside the 3a limits 
(Hunter, 1986). Even though Shewhart control charts have many advantages, they are 
relative insensitive to small shifts in the process, on the order of about 1.5a or less (Ryan, 
1989). 

That is why one alternative to the Shewhart control chart may be used when small 
shifts in the process are of interest: the exponentially weighted moving average (EWMA) 
control chart (Hunter, 1986). The performance of the EWMA control chart is, in some 
ways, easier to set up and operate. The EWMA control chart can be viewed as a method 
for establishing real-time dynamic control of the process being monitored (Hunter, 1986). 
The EWMA control chart can be used in CHTFPM when the risks of not detecting small 
shifts in the safety mean of the system under observation rise to unacceptable levels. 
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As mentioned earlier, the EWMA performs well detecting small shifts but does 
not react to large shifts as quickly as the Shewhart control chart. A good way to further 
improve the sensitivity of the control procedure to large shifts without sacrificing the 
ability to detect small shifts quickly is to combine a Shewhart control chart with the 
EWMA (Borror et al, 1998).These combined Shewhart-EWMA control procedures are 
effective against both large and small shifts. It is also possible to plot both the Shewhart 
chart and the EWMA chart on the same chart along with the associated control limi ts for 
each chart (Hunter, 1986). The use of either the Shewhart control charts or the EWMA 
control chart, or both, m CHTFPM depends upon the nature of the system being analyzed 
and the desired protection from risks and unacceptable hazards. The EWMA control chart 
as well as the different kinds of Shewhart control charts and the associated equations for 
their construction will be discussed in further detail in Chapter 3. 

Besides the utilization of control charts, the Pareto analysis is a useful tool in 
knowing which dendritics required immediate attention. The relationship between these 
two techniques is that the control chart indicates if there is reason to suspect that the 
system may be becoming hazardous with respect to the sampled dendritics; consequently, 
this result provides the rationale to carry out a more comprehensive study of individual 
dendritic occurrences using Pareto analysis. This will provide an indication about which 
one of the dendritics has the highest frequency of occurrence; thus necessary and 
proactive measures can be taken more specifically for accident prevention. 
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2.6 Predictive Safety Software 

With the rapid evolution of technology, there is a swift increase and development 
of computer software. This proliferation of software has emerged in almost any area and 
field of study there is: medicine, science, engineering, etc. The aim and scope of this 
section consists of the literature concerning existing software associated with predictive 
safety. To be more precise, only the most relevant topics related to preventative safety 
analysis will be covered. In addition, the concept of safety models that intent to predict 
accidents will be studied; that is, safety methods that serve to prevent accidents or system 
failures, especially in an electronic or automatic manner, before they occur. 

The purpose of this project is to integrate the CHTFPM in a computer software 
package. That is, the intent of this study is to use the underlying theory of the CHTFPM 
described in all the previous sections of this chapter in a single, simple electronic 
management information system (MIS). The intended predictive safety software will 
carry out all computations and will provide the user (analyst or assessor) the adequate 
graphs such as Pareto diagrams or control charts, as requested. By this means, the safety 
status of the system under consideration will be quickly available; with this attribute, a 
greater degree of interaction with the software can be achieved. This is especially true in 
the area of rapid response to system changes because the user is seeing the effects of the 
system almost immediately, and thereby, a greater level of interaction being released 
(Mackie, 1998). Furthermore, faster preventative safety measures can be adopted, giving 
as a result an earlier cancellation of the hazard. 
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2.6.1 Predictive Reliability and Statistical Software 

Not many studies in predictive safety are seen in the literature; thereby, there are 
not many existing predictive safety software products. Most of the available safety 
computer systems serve to conduct safety assessments from a reactive (after-the-fact) 
point of view but not from a predictive or proactive perspective. Lately, there has been a 
considerably growth of predictive safety models; nonetheless, such models— as the ones 
revealed in Section 2.5.1— are not offered in a software package. Therefore, the necessity 
for developing satisfactory analysis and predictive methods for software is so acute that 
much research, effort, and money, continues to be spent (Davies et al., 1987). 

In addition, evoking from Section 2.5, predictive safety can be drawn in parallel 
from the subject of predictive maintenance or predictive reliability. In this topic, there are 
several software applications, such as Alvey and Esprit programmes; additionally, 
Proportional Hazard Modeling methods for software reliability data were largely 
developed (Davies et al, 1987). For predictive reliability software, in particular, analyst 
have focused upon these methods as a systematic approach to the incorporation of the 
wealth of supplementary information often available in software development or software 
reliability databases (Davies et al., 1987). Some early work in this area was undertaken 
by Boeing in the USA (Nagel and Skrivan, 1981) and continuing interest was followed in 
France (Font, 1985); moreover, Wightman and Bendell (1986) were the ones to apply 
Proportional Hazards modeling to reliability software. 

At the beginning of the 1980’s, a typical software reliability prediction method 
required data comprising a history of the times at which individual failures occurred 
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(Dale and Foster, 1987), This typical quality, similar to the predictive models elucidated 
in Section 2.5.1, manifests that such reliability predictive methods needed information 
that was previously recorded for estimating failure prediction. This mode of data 
acquisition demonstrates that the data employed in the calculations was not current, 
which is preferable so that more modem results can be obtained, leading to more accurate 
deductions. Likewise, these reliability prediction programs also adopted a reactive, 
instead of a proactive, approach to foresee similar system breakdowns. As per Roland 
and Moriarty (1983), these safety (reliability) programs are usually established 
piecemeal, based on an after-the-fact philosophy of accident prevention. In order to be 
proactive, the tracking of safety hazards is essential to predictive safety, and present 

system safety methods typically do no do this (Cooper, 1998), including predictive safety 
computer applications. 

Another major feature in the 70’s and early 80’s of reliability software was the 
incorporation of statistical models proposed for assessment and prediction (Veevers et 
al., 1987). However, some approaches back then carried a heavy computational burden, 
and hence statistical methods were not readily implementable for software applications; 
even more, this state of affairs reflected the fact that no software reliability model was 
generally useful or applicable (Veevers et al . , 1987). The difficult interpretation by the 
non-statistician and the inappropriateness of the predictive statistical methods for 
software applications were mainly due to the fact that in the past this type of software did 
not have a user-friendly interface such as a Windows environment. The CHTFPM 
software addresses and meets these issues — data presented in an easy-to-understand 
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manner and generally applicable to different case studies. In present times, incorporation 
of statistical methods in software reliability prediction is feasible (Veevers et al., 1987); 
in fact, various statistical software packages, like MINITAB, DATAPAC, etc., are 
available for statistical analysis of data including virtually all types of control charts. 

Today’s statistical software can calculate the sample parameters, initial control 
limits and control charts. Most software can provide additional summaries and analyses 
such as listings of the raw data, out-of-specifications values, histograms, checks for runs 
and other patterns within control limits, tests for normality, process capability 
calculations, Pareto analyses, and trend analyses (Juran, 1988). Unfortunately, such 
software programs are only for statistical purposes and do not take into account the safety 
aspects of a project, especially the human interaction portion. In the words of Koval 
(1997), many reliability or statistical predictive methods are based solely on equipment 
failures neglecting the human interaction of man-machine systems. This signifies that the 
statistical programs do not typically provide dendritic identification capabilities. 

Furthermore, the safety information would have to be stored by the analyst in a 
different location from the statistical program, either on paper or electronically. 
Therefore, in a predictive safety study, safety data would have to be first stored in one 
location (database, paper files, etc.) and then extracted from its original site and input 
again in the statistical software for calculations. This reflects that the inputting of data has 
to be done twice which, apart from interaction inefficiencies, could lead to possible 
mistakes (misinterpretation or human error) at the time of re-entering the data, resulting 


m erroneous conclusions. 
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The CHTFPM software will comprise the safety and statistical aspects together in 
one, single software application; this implies that the safety information will be saved in 
the same program where the statistical computations will be executed. To be more 
precise, safety records and/or reports will be kept in a database contained in the 
CHTFPM computer program. Getting information out of the records, however, is a cause 
of frequent frustration, which is why professionals need to look critically at their 
recordkeeping practices from gathering data to providing information (Wrench, 1990). It 

is strongly recommended, therefore, to use databases to store safety records and/or 
information. 

That is why Wrench (1990) urges each health and safety professional to calculate 
on an annual basis the cost in time to produce every record in the office, the cost of the 
space the records occupy, the cost of the cabinets and shelves they fill, and the cost of the 
time spent in trying to find data when needed. An examination of this sort can be 
revealing since the cost is likely to equal or surpass the cost of the personnel hired to 
ensure company health and safety. If this lesson were taken to heart, controls would be 
instituted and an immediate effort would be made to computerize. Moreover, by having 
safety reports together with the statistical portion in the same software package, records 
will not have to be re-entered, thus, no faults due to human error will be exhibited. In 

fact, the reckonings will be carried out automatically after the safety data has been 
recorded. 

Besides keeping safety records outside the statistical computer system, current 
statistical software products do not offer the user suggestions or recommendations for 
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performing calculations. For instance, the analyst may try to use a p chart to analyze 
some data; however, such information is best represented by a c chart. Consequently, the 
results may not be accurate, leading to false conclusions or wrong interpretations. The 
CHTFPM will also tackle this limitation; it will supply to the assessor the suggestions 
and options of what type of analyses are more adequately suited for the data collected, 
according to the circumstances of the system under observation. 


2.6.2 Computerized Predictive Safety 

In conjunction with predictive reliability and statistical software, there exist 
simulation methods and computer aided safety monitoring whose foci are linked to 
predictive safety. These computer approaches monitor systems and analyze collected data 
to identify possible causes of adverse or hazardous conditions. Thus, prediction of 
anomalies and concomitant appropriate actions can be taken to prevent system failures 
and accidents. Some existing computerized safety monitoring and prediction systems are 
like the CHTFPM software application in various aspects. The similarities and 
differences between these computerized methodologies and the CHTFPM computer 
program are discussed in this section. 

2.6.2.1 Predictive Simulation Software 

In a traffic accident prediction study, injury potential of a safety design feature is 
predicted by using laboratory/mathematical simulation data of traffic accidents (Norm 
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and Isaksson-Hellman, 1995). The research states that mathematical simulations could 
predict by correlation the type of injuries in a certain accident configuration before the 
system is exposed to harmful circumstances (in this investigation the human was the 
system). In this report, MADYMO mathematical simulation software models (TNO, 

1990) are used. The MADYMO simulation models were validated for Volvo 240 cars 
from full scale crashes at several speeds and from a Hyge sled test series (Norin et al, 

1991) . This computer/mathematical simulation method has several similarities to the 
CHTFPM software program. 

2.6.2. 1.1 Similarities between the MADYMO and the CHTFPM MIS 

The first similarity of MADYMO with the CHTFPM MIS is that such approach is 
proactive, which means that it can predict accident likelihood (in this case risk injuries) in 
advance, hence, influence the design and manufacturing of the vehicle before a mishap 
reaches the user. As mdicated by the article, the purpose of this method is to create a 
means of predicting to what extent a component of a car can influence the risk of injury 
before the system is exposed to real traffic conditions. By paying particular attention to 
such components, corrective action can take place before the driver is exposed to hazards 
(Norin and Isaksson-Hellman, 1995). 

A second similarity this computer simulation model has with the CHTFPM 
electronic version is that it can be generalized or applicable for other protection systems 
and for other accident types (Norin and Isaksson-Hellman, 1995). A third likeness is that 
the mathematical safety simulation approach, just as the computerized CHTFPM, utilizes 
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a large amount of current information collected in new real- time from the experiments to 
perform calculations. This indicates that data from preceding or previous accidents was 
not employed — instead, in-progress data was used— to predict accidents. 

A fourth similarity between the two compared models is that both take into 
account the human interaction with the machines. In the case of the MADYMO 
simulation methodology, the machine is the car, and the human interaction parameters 
considered are occupant size, seating position, among others. (Norin and Isaksson- 
Hellman, 1995). A functioning of a system must consider the human-system where the 
humans are involved with it (Bologna and Hollnagel, 2002). The person’s behavior has to 
be defined and quantified when considering overall system safety. 

2.6.2.1.2 Differences between the MADYMO and the CHTFPM MIS 

Just as this method has similarities to the CHTFPM MIS, it also has 
dissimilarities. Unlike the CHTFPM computer system which displays control charts, the 
MADYMO application only provides distribution graphs to make inferences about the 
safety standing of the system. 

Another difference there is between the two is that the mathematical MADYMO 
model always implies a simplified description of reality and certain faults (errors) occur 
with such generalization (Norin and Isaksson-Hellman, 1995). This denotes that such 
software does not quantify possible error of the results, whereas the CHTFPM program 


does. 
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2.6.2.2 Computer Safety Monitoring Software 

An additional safety software application is a safety monitoring computer 
program that measures adverse conditions in the system requiring attention; thus, such 
unacceptable situations can be addressed and solved before resulting in an accident. A 
construction report written by Cheng et al. (2002) focuses on describing the development 
of a decision support system (DSS) for safety monitoring of excavations in construction 
sites. This computer system is designed to assist construction engineers in monitoring and 
controlling the excavation conditions that could become hazardous with the aid of 
instruments (wall inclinometer, stmt and rebar strain gages, etc.) placed in the 
construction field. Like the previously depicted computer simulation system 
(MADYMO), the DSS also has various analogous aspects to the CHTFPM MIS. 

2.6.2.2.1 Similarities between the DSS and the CHTFPM MIS 

One identical feature to the CHTFPM MIS is that the DSS is a before-the-fact 
safety technique, which implies that its predictive aspect prevents accidents due to the 
fact that corrective action can take place before they can occur. As sustained in the 
articles, predictions of adverse conditions and appropriate actions can be taken to prevent 
construction accidents (Cheng et al., 2002). Another equal attribute the DSS has with 
respect to the CHTFPM computer software is that it utilizes present-day information, 
gathered from the instruments located in the construction field, to perform computations 
which entail the safety state of the system. 
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An additional characteristic of the DSS is that it helps identify possible causes and 
origins of hazardous conditions (Cheng et al, 2002). This is an analogy of the FMEA and 
dendritic qualities, respectively, of the CHTFPM software application. More exactly, the 
possible causes of adverse conditions in the DSS resemble the causes of the failure modes 
depicted in an FMEA (which is enclosed in the CHTFPM computer program). In the 
same way, the possible origins of unacceptable situations in the DSS are analogous to the 
dendritics (building blocks of hazards) in the CHTFPM software package. 

One more comparable element between the DSS and the CHTFPM software 
program is that both employ databases to store safety information in the same application 
where the reckonings are realized. The use of databases is highly recommended since it 
facilitates data handling/management. In effect, by applying open database connectivity, 
the program data interface writes/reads the information to/from the associated databases, 
respectively. Moreover, through this process, the stored safety data files can act as the 
communication media (Cheng et al., 2002). 

A final, similar mark to the CHTFPM MIS is that the DSS is a PC-based software 
program. The prime development tools of the DSS include Visual Basic, MS Excel, 
Access and Maplnfo, which were developed in a Windows environment. Further, the user 
communicates with the system components through a custom interface developed with 
Visual Basic (Cheng et al., 2002). All the previously defined points are also part of the 
CHTFPM software, including the use of Access as a platform. Additionally, just like the 
computerized CHTFPM, the DSS — when compared with manual methods — significantly 
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improves automation in safety monitoring, enhances computational efficiency and 
increases data accuracy and consistency (Cheng et al., 2002). 


2.6.2.2.2 Differences between the DSS and the CHTFPM MIS 

In the same manner the MADYMO computer simulation system has some 
distinctions from the CHTFPM software, the DSS computer program differs from the 
CHTFPM MIS as well. For example, an obvious dissimilarity is that the DSS does not 
use control charts as the source for portraying the system’s safety status. The DSS, rather, 
displays graphical trends as well as data distribution plots that depict the safety degree of 
the scheme and estimates possible accident likelihood. 

In addition to not utilizing control charts, the DSS differs from the CHTFPM 
software packet because the first method is not generally applicable, while the CHTFPM 
MIS is robust. Although the DSS is applicable within the subject of construction work, it 
is inappropriate for other case scenarios since it requires special equipment or 
instrumentation absolutely used in construction. 

The last difference between the DSS and the computerized CHTFPM is that the 
DSS is costly to use. The electronic CHTFPM, however, is a cost-effective tool because 
it does not require any additional allocation of resources (Quintana et al., 2001). The 
DSS, on the other hand, collects and transmits measured data from the construction 
ground to the job site office using automated transmission technology through cable 
connections or wireless communication. Therefore, this factor, besides the measuring 
instruments, contributes to a high cost to implement such a safety monitoring system. 


Chapter 3 


3. PREDICTIVE SAFETY SOFTWARE COMPONENTS 

The focal point of this study is to incorporate the theory behind the CHTFPM into 
a software package; therefore, this chapter describes the CHTFPM constituents both in 
theory and in the computer program. First, an overview of the ingredients of this 
predictive safety model will be explained in order to understand how the predictive safety 
management information system (PSMIS) will work. Subsequently, the integration of the 
CHTFPM elements into a programmable system will be depicted in the form of 
flowcharts to portray the functioning of the CHTFPM MIS. 

3.1 Introduction 

This chapter exposes in Section 3.2 the flowchart symbols used in the program 
design of the PSMIS as well as their meaning. In Section 3.3, an overview of the entire 
program utilization is provided, followed by general overview of the software package in 
Section 3.4. The construction of dendritics is explained in Section 3.5. Section 3.6 talks 
about the preliminary samples needed to establish control limits. Control chart theory is 
presented m Section 3.7. Section 3.8, describes the topics related to safety sampling. In 
Section 3.9, the Pareto analysis is elucidated. Finally, Section 3.10 consists of the help 
and decision support offered to the user. 
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3.2 Flowchart Symbols 

Before revealing the CHTFPM components in theory as well as in a flowchart 
fashion, it is essential to understand the meaning of symbols employed in the diagrams 
that show how the MIS will carry out a certain process or task. A reason for choosing 
flowcharts to explain the process of the predictive safety computer system is because 
program design frequently involves the use of flowcharts (Whitten et al., 1989). In 
addition, system flowcharts were one of the very first tools commonly used by systems 
analysts and computer programmers. 

The American National Standards Institute (ANSI) has established certain 
symbols that have been widely used n the computer industry to describe the logic of both 
systems and computer programs (Whitten et al, 1989). The symbols that were utilized in 
the flowcharts for the development of the PSMIS are depicted in Figure 3.1 together with 
their meaning according to the ANSI standards: 



Figure 3.1: Flowchart symbols and their meanings (Whitten et al., 1989). 
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Another cause for using flowcharts in the development of PSMIS is because, 
given the appropriate diagramming techniques, it is much easier to describe complex 
activities and procedures in diagrams than in text (Martin, 1987). A picture can be much 
better than a thousand words because it is concise, precise and clear. Furthermore, 
systems flowcharts are the basis for communication between end-user, systems analysts, 
computer operations personnel and computer programmers (Whitten et al., 1989). 


3.3 Overview of the CHTFPM Program Utilization 

This section presents an outline and a general idea of the underlying theory of the 
CHTFPM, which consists of identifying the dendritics of a system — the building blocks 
of hazards. Founded on this rationale, the first step of the PSMIS, or CHTFPM MIS, is to 
construct the list of dendritics based on the reports of the PHA, FMEA and barrier 
analysis. Second, sampling has to be carried out to determine the number of samples 
needed for statistical significance and to establish the control limits. From these 
preliminary samples, a Pareto diagram can be constructed according to the cumulative 
frequencies of the observed dendritics. 

In order to conduct the initial observations, the computer program provides the 
user with sampling sheets in the form of reports to document the occurrence of dendritics. 
After deciding to set up the control limits, the type of control chart must be selected so 
that the respective control chart parameters can be calculated. Once the type of control 
chart has been chosen to represent the safety status of a system, the control limits can be 
computed and implemented to measure the safety level of the process. Before plotting 
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points on the control chart, a safety sampling scheme must be created in order to begin 
collecting data. Such data will be mapped on the control chart after the sampling plan has 
been developed. 

From the acquired information using the designed sampling scheme, a Pareto 
diagram can be obtained to depict the dendritics that occur more often. When plotting the 
points on the control chart, it can be seen if the system is in-control or not. If the system 
is in-control, sampling can continue without any problems. However, if the control chart 
shows that the system is out-of-control, an investigation must take place to encounter the 
causes that originated such alarm; the sampling sheets can aid in finding the source(s) 
that gave birth to an out-of-control point. 

If the it was determined that the point outside the control limits is an irrelevant or 
minor reason, then that point is called an outlier, which simply means that system is safe 
or stable and as a result that point can be ignored. Hence, no changes or corrections are 
required, and the current control limits can be employed for upcoming monitoring and 
control. 

If it was concluded that the out-of-control point is an assignable cause (special 
cause not part of a process), it denotes that the system is operating under the presence of 
hazards; thus, an accident or system failure can occur. In this situation, it is necessary to 
take immediate action and fix the problem that provoked the hazardous condition(s). As 
soon as corrections have been made to the process or system, new control limits have to 
created, and new dendritics have to by identified if necessary. Figure 3.2 summarizes in a 
flowchart the entire description of this section. 
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Figure 3.2: Flowchart of the entire CHTFPM MIS general process 
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3.4 General Overview of the PSMIS 

The PSMIS consists of four main tasks, which are the basic and general functions 
of the program. In order to facilitate the usage of PSMIS and the handling of information, 
the system was broken down into four major events, which are given below: 

• Create a new proj ect. 

• Edit a project. 

• Delete a project. 

• Exit program 

Each of these events is described in greater detail in the following sections of this 
chapter, but the trivial tasks, such as “Delete a project” and “Exit program”, are briefly 
stated m this section. In addition, the beginning portion of the “Create a new project” 
action is also explained in this section since it is deemed necessary to understand the total 
functioning of the PSMIS. Moreover, the user has to deal with this segment of the 
program, for it is fundamental when realizing a safety project because the end-user has to 

specify the project number or the project name among other fields, as it is explained later 
in this section. 

The scheme that represents the primary actions in the PSMIS is shown in Figure 
3.3. These principal actions are the main events of the CHTFPM computer program; thus, 

they conform the main menu of the PSMIS as illustrated in Figure 3.4, which represents 
the flowchart of Figure 3.3. 
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The “Delete a project” characteristic of the PSMIS (CHTFPM MIS) simply 
executes the action of erasing permanently from the databases all the data related to a 
particular project. This aspect is portrayed in Figure 3.5. So, when the analyst clicks on 
the “Delete a project” button, the program asks the user to confirm the deletion action for 
the selected project, but the person has also the choice to retract from the deletion 
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Similar to the previously depicted element, the other simple factor of the principal 
events is the “Exit program” selection, which is the option that allows the analyst to exit 
from the program. This feature is very straight forward and self-explanatory; Figure 3.7 
illustrates the manner in which the “Exit program” event is earned out. 



The beginning portion of the “Create a project” attribute is essential when 
conducting a safety study. The program asks the user to fill out the required fields which 
are the “Project ID," “Project Name,” ‘Description” and “Analyst Name” fields. If these 

domains are empty the program will not allow the user to continue with the project, as 
seen in Figures 3.8 and 3.10. 




Figure 3.8. Beginning portion of the “Create anew project” event of the PSMIS 
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Additionally, Figure 3.9 depicts the information fields of a project that must be 
filled when commencing a new project. The “Project ID” feature is the most important 
entry, for it is the identification (ID) number/name by which all projects are classified 
and recognized. In other words, the project ID is the quality that distinguishes one project 
from another and helps preserve the integrity of the system; therefore, the program will 
forbid the repetition of a project ID. Figure 3.10 is an example of a message box that the 

PSMIS displays when a required field is empty— in this case the “Analyst Name” field 
supposedly was not filled out. 



Project ID 


25 


Date 


27-Feb-03 


Project Name [Calibration process 
Description 



Figure 3.9: New project information screen. 



Figure 3.10: Message box indicating that a required field is empty. 




3.5 Dendritic Construction 
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The fundamental issue in the implementation of the CHTFPM is the identification 
of the core conditions leading to hazards in any given system; these core conditions can 
be termed as the dendritics of a particular class of hazards. If dendritics are present in a 
system, they may lead to a hazardous condition, which ultimately can result in an 
accident or system malfunction. To develop the dendritic list for a system, a thorough 
study of the system must be performed using established system safety analysis tools, 
such as the PHA, FMEA and barrier analysis (see Section 2.3). The CHTFPM strongly 
relres on these techniques for dendritic construction (Quintana a al„ 2001), as it is 
illustrated in Table 3.1. 


Table 3.1: Techniques for dendritic construction (Quintana et al., 2001). 


PHA 




■; • ? * ? W S >; : 



Identifies safety critical areas, evaluates hazards, and identifies the safety 
design criteria to be used y 


FMEA 

Systematic approach that identifies potential failure modes in a system 
Focuses on conditions that can lead to hazardous situations. 

Barrier 

Analysis 

Effectively identifies root cause of an unwanted event or problem 
Extremely useful in programmatic or system analyses involving human 
interaction with the overall system. 


The record of dendritics is elaborated by analyzing and reviewing with detail each 
entry of the PHA, FMEA and barrier analysis. Afterwards, a preliminary dendritic list is 
formed by choosing the items that will lead to possible occurrences which could result in 
system failure or employee injury. Finally, the initial dendritic record is double-checked 
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for any repeating or similar elements and to enhance the wording of the items, ensuing in 
the concluding version of the dendritic list. Nevertheless, the final list of dendritics can be 
modified if more defects or hazardous conditions are found since undetected or new 
hazards may arise. As indicated by Lee et al. (1998), sometimes as the procedure 
advances m an operation, more detailed assessment of hazards has to be performed. All 
this process has to be done by the analyst either by hand or by typewriting the 
information. This procedure is long and some times tedious; however, it is necessary in 
order to identify the dendritics of the system or process. 

On the other hand, the PSMIS can accomplish the dendritic construction 
automatically and faster. The mode to achieve this course of action is revealed in Figure 
3.11, which is the continuation of the “Create a new project” event flowchart in Figure 
3.8. Further, to elaborate the inventory of dendritics, the user has two alternatives. 

First, the analyst can choose to perform one or all of the analyses forms: PHA, 
FMEA or barrier analysis. If he or she did so, then the program will enable the user to 
create the dendritic list from the information entered in the forms with the push of a 
button called “Import Dendritics.” 

The second option the end-user has is to create directly the dendritic list without 
having to fill out any of the previously mentioned safety sheets; that is, he or she will 
specify the dendritics or core conditions that could lead to a hazard according to his/her 
own judgment. In addition, the CHTFPM MIS has the capability of allowing the analyst 
to modify the list by adding, deleting or editing (rephrasing) dendritics. Moreover, if the 
end-user altered the dendritic list and does not like the result of it, the person can reset or 



go back to the original dendritic list; as seen in Figure 3.12. 
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Figure 3.11: Dendritic construction process in the PSMIS. 
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Figure 3.12: Edit feature for the dendritic list. 


Another vital step in constructing dendritics is the aspect of adding weights to 
them because weighting the dendritics can help identify the more serious problems from 
the less serious. The recommended demerit scheme by Montgomery (1996) was used in 
this study to partition dendritics into four classifications (see Section 2.4) which, in fact, 
is the same plan the CHTFPM MIS uses as default. Once the nonconformities or 
dendritics are separated into categories, each class is weighted or assigned demerits. A 
weight is assign to a dendritic corresponding to its classification. For example, the 
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highest weight will be designated to the dendritics that are judged to be in the “very 
serious” class; on the contrary, the lowest weight will be appointed to the dendritics or 
defects in the category of •‘not serious”. The following demerits or weights for each class 

of dendritics are widely used in practice (Montgomery, 1996) and were the ones 
employed in this research: 

• Class “A” defects f dendritics) - 1 on 

• Class “B” defects {dgndritjcs} - 50 

• Class “C ” defects (dendritics) - 10 

• Class “D ” defects (dendritics) - i 

According to these weights, the number of demerits in every observation can be defined 
as (Montgomery, 1996): 

d h = 100 + 50 c hB +10 c hC + c w (3 ^ 

where 

c ' u ls the num her of Class A defects (dendritics) occutred in observation h. 

C -‘ ls the num her of Class B defects (dendritics) occurred in observation h. 
c hc is the number of Class C defects (dendritics) occutred in observation h. 
c hD * s the number of Class D defects (dendritics) occurred in observation A. 

Since the previously recommended weights are broadly utilized in studies, the 
PSMIS uses the same demerits as the default values for the dendritics. Nevertheless, the 
software application enables the user to assign other weights-^ifferent from the default 
values to the dendritics as the analyst deems appropriate. As a result, the weight values 



59 


of Equation 3.1 will change, correspondingly, to those chosen by the user. From the 

computer program standpoint, the procedure of assigning weights to each dendritic, after 

the dendritic list has been completed, is carried out in the fashion and sequence that 
shows Figure 3.13. 



Figure 3.13: Flowchart for assigning weights to dendritics. 

3.6 Safety Sampling 

The CHTFPM is a concept of providing safety condition information in a 
statistical and economical manner by using the principles of safety work sampling. The 
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Industrial Engineering Tenuinology Standard Z94.12 defines work sampling as “an 
application of random sampling techniques to the study of work activities so that the 
proportions of time devoted to different elements of wo* can be estimated with a given 
degree of statistical validity” (Shell, 1986). A safety sampling study consists of a large 
number of observations taken at random intervals or times. In taking the observations, the 
state or condition of the object of study is noted and conclusions can be drawn. 

Sampling is the process of drawing inferences concerning the characteristics of a 
mass of items by examining closely the characteristics of a somewhat smaller number of 
items drawn from the entire mass, also termed as the population or universe (Williams, 
1978). In general, there are three common methods of drawing samples (Kolarik, 1999): 

*' Random Sampling : One or more sampling units selected from a population 
according to some specified procedure. The sample is considered random if the 
laws of chance govern its selection. That is, each sampling unit from the population 
has an equal chance of being selected. For example, picking an apple from a basket 
filled with apples would be a random sample. Each apple has the same probability 
of being picked without any apparent preference. 

2 ' ■ Svstematic Sampling: A method in which a regularly ordered interval is maintained 

between items chosen. An example would be selecting every tenth part that exits an 
assembly line. 

3. Str atified Sampling : A method which classifies the population units into a certain 
number of groups, called strata, and then selecting samples independently from 
each group or stratum. The division of the population into strata is usually done in 
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such a way to reduce the variability of the sampled statistics. For example, the use 
of regular intervals between samples can be applied, with judgmental modifications, 
when it is thought that process disruptions are more/less likely to occur. 

Random sampling is the ideal method for sampling because a sample taken at 
random from a large group tends to have the same pattern or distribution as the large 
group or universe. This means dial in taking random observations, the state or condition 
of a process under study is noted with a high degree of confidence if the sample size is 
g enough. As a result, from the proportion of investigations, conclusions can be 
drawn concerning the total work activity under consideration (Barnes, 1957). 

In addition, random sampling is a cost-effective tool in analyzing a system since it 

does not require any additional allocation of resources (Quintana el al., 2001). Random 

sampling is also cheaper and faster than a complete observation, also called a census, 

because it is usually only a fraction of the group size (Williams, 1978 ). Consequently, the 

random sampling method is by far the most commonly used sampling method in industry 

today (Vming, 1998). Therefore, random sampling is the method that the PSMIS will use 

to develop a sampling plan. The style in which random sampling will be performed is by 

defining the number of subgroups and the number of samples per subgroup, which will 
be elucidated shortly. 

3.6.1 Groups, Subgroups and Observations per Subgroup 

Subgroupmg is important because it permits to obtain enhanced statistical 
performance in control charts; such enhancement refers to reducing the chance of failing 
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to detect a dendritic or assignable canse in a given system or process, according to 
Kolarik (1999). Subgroupmg is also valuable because it provides a statistical test to 
determine whether the variation from subgroup to subgroup is consistent with toe process 
mean and the average variation within the subgroups (Grant and Leavenworth, 1996). In 
addition, the most obvious rational basis for subgrouping is order of production or time 
order (Montgomery, 1996), which is an organized list of random times that are arranged 
in sequence or succession. Therefore, according to the rationale presented before, time 
order is toe logical basis that the PSMIS employs for data collection. 

The sample size should be chosen in a way that appears likely to give the 
maximum chance for the observations in each subgroup to be alike (Montgomery, 1996). 
In other words, the choice of subgroup size should be influenced, in part, by toe 
desirability of permitting a minimum chance for variation within a subgroup. In most 
cases, more useful information will be obtained from, say, five subgroups of 5 
inspections than from one subgroup of 25 observations. In large subgroups, such as one 

of 25 observations, there is likely to be a much greater opportunity for a process change 
within a subgroup (Quintana et al., 2001). 

In many occasions, subgroups of 4 inspections are adequate and sufficient for 
denving reliable conclusions. Subgroup sizes of 4 (+ 1 observations) are extremely 
helpful to determine whether or not a group of measurements is statistically 
homogeneous, for the possibility of a large variation within a subgroup is considerably 
less. Subgroups of size 4 also allow a maximum chance for the subgroups to differ one 
from the other (Montgomery, 1996). Since subgroups of size 4 are widely used in 
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practice, the PSMIS recommends Ms criterion as the subgroup range. Nevertheless, the 
analyst can choose any other subgroup size. 

For example, if a safety study is to be conducted in an assembly line of a 
manufacturing plan, for 5 days (assuming each day has one shift of S hours), Men Me 
study could be broken down into 5 groups (days) of 8 subgroups (hours) each. The 
number of observations per subgroup would be selected by Me analyst, say 4. Therefore, 
each observation would be represented by a random time in which an inspection would 
take place to look for any dendritics present in Me system at Mat moment. This means 
that each subgroup would be conformed of 4 arbitrary times (observations). 

It is fundamental to mention Mat Me subgroup values are Me points plotted in a 

control chart in relation to Me characteristic of Me particular Shewhart control chart being 

used. For instance, Me p chart plots Me fraction of dendritics and Me u chart plots Me 

average of dendritics in each subgroup, but Me c char plots Me number of defects per 

subgroup (Section 3.7 provides a Morough description of Mis aspect). Developing plots 

of subgroup means may appear counter intuitive from a physical perspective; however, it 

is essential because it makes a great deal of sense from a statistical point of view since 

precision is gained (Kolarik, 1999). In addition. Me center line is Me process mean, and it 

is also computed based on the distinguished quality of Me respective attribute (Shewhart) 
control chart. 

3.6.2 Preliminary Sampling Plan 

Initial or introductory samples are indispensable to achieve statistical confidence 
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in a safety study. Thereby, it is first required to develop a preliminary sampling plan in 
order to conduct initial observations. This introductory sampling scheme involves 
random times, at which the inspections will be carried out. The random times can be 
generated by the CHTFPM MIS or by the analyst with the aid of a programmable, 
random beeper or any other device, as shown in Figure 3.14. 

In the event that the first choice is made, the end-user can modify the random 
times if these are not right. This capability is helpful in occasions when an arbitrary time 
resides in a moment that is inappropriate. For instance, if observations will be conducted 
m a production line of an industrial plant, it may be possible that a sampling time will be 
listed at a period when the operators are scheduled to take a break; therefore, that random 
time will fall at an improper instant. If this happens, it is necessary to edit or change that 
specific time to a suitable moment (see Figure 3.14); nevertheless, the system analyst can 
also disregard that particular time if he or she does not want to correct it. 

On the other hand, if the second approach is followed, the user will have to record 
the random times whenever the beeper makes a sound and input those times later into a 
table that was created by the computer program. That is, the worksheet where the random 
tunes are placed (table for random times) stays vacant-since no times are generated-so 
the analyst can enter the beeper times at a later instant. Previous to input the random 
beeper times into the computer, the CHTFPM program combines the dendritic list and the 
table for random times in order to build a form or sheet for data collection. This form can 
be printed to register the data from the initial observations if the inspection site is away 
from the computer; then such information can be input afterward into the software along 
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with the random beeper times (refer to Figure 3.15). In addition, if the user does not like 
the set of random times, for any reason, the individual 
times, as illustrated in Figure 3.14. 
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Figure 3.14: Flowchart of preliminary sampling plan. 







3.6.2.1 Sample Size for Statistical Significance 
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A calculation of the number of samples necessary to attain statistical significance 
is a substantial element of fire validity of the model. To calculate the number of 
observations needed, n ' (* prime), to achieve statistical dependability, it is a requisite to 
cany out initial samples in order to collect data from dendritic occurences. Nonetheless, 
before calculating i, is obligatory to know the percent of dendritics present (p). 
Furthermore, prior to determining p, the system assessor must specify to the software 


program the length of the confidence interval (Cl), V, and confidence level (CL), thus the 
r percent (a 100[1 - CL] %), which is the accuracy desired for statistical impact. 

The CL and a are required to decide what level of certainty is desired in the final 

results; fiuther, the number of samples depends on these two values. The confidence level 

is the probability that the true parameter may occur within the specified percent range 

under the standard normal distribution curve. Additionally, the L’, and CL values can be 

changed by the analyst at any moment throughout the realization of a project, but the 

respective, previous results will be affected, accordingly. The following equations depict 

the necessary calculations for determination of the minimal sample size (Devore, 1995): 

p = Nwn ber o/ dendritic^ s observed^ in the preliminary sampling 

(Total possible dendritics per observation) * (Number o/ observations) ^ 


n ' = ^( Z 'a/2 ) 2 PQ- ~ P) 

c l y 


( 3 . 3 ) 


where 


L is the length of the confidence interval (Cl) for p 
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Z ' M iS value of * e axis for which a’/2 of the area under the s tandar d 

normal curve lies (Devore, 1995). 

The previous equations are integrated into the CHTFPM code as well as the 
equations for the control limits (view Section 3.7). Therefore, such reckonings will be 
performed automatically by the PSMIS. Hence, the analyst can know at what point 

statistical significance has been achieved. Figure 3.15 describes the organization and 
sequence of this process. 


3.6.2.2 Establish Control Limits 

In order to establish the safety control limits, a preliminary set of observations 
must be performed. This is also done to find out the minimum number of obsemtions or 
inspections required to have statistical reliability („% based on the desired L ’ and CL 
specified by the analyst. The resulting number of n ' is then compared with the acquired 
sample size of the preliminary investigation, n, to verify that enough inspections have 
been performed. If the required amount of observations has not been reached, the process 
of acquiring data should continue until the essential number of samples has been taken. 

However, the system evaluator, at any point, can choose to establish the control 
limits even if the actual number of samples (it) does not match the number of inspections 
needed (it ). In other words, the user can view the actual etror percentage, a, that 
corresponds to the actual number of samples, n, that have been taken. If the individual 
deems that the real error proportion (a) is acceptable, then he/she can decide to set up the 
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control boundaries even though the required quantity of observations (n r ) has not been 
attained, as shown in Figure 3 . 15 . 




Figure 3.15. Flowchart to calculate number of samples needed for statistical significance. 
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In addition, the system analyst can also choose to specify the proportion/percent 
of dendritics, p , to find the number of samples needed (n ’). This means that the user can 
mput an estimate value of p before conducting the preliminary observations, but the 
subsequent recalculations of p, if necessary or requested, will be obtained based on the 
data gathered from the preliminary data set. If the analyst decides to take this path to 
calculate n ', the software will tell the system evaluator the number of samples that must 
be taken according to the proportion or percent of dendritics, p , that he or she predicted, 

as observed m Figure 3.16. Then the individual can perform the number of samples 
needed for statistical importance. 

If the person opts to conduct less observations than the ones stated by the 
computer program (based on the approximation of p ), the CHTFPM MIS can know the 
computed percent of dendritics, p , in the preliminary data set. With the p value, the 
PSMIS can also calculate the actual error percentage (a) that corresponds to the actual 
number of observations conducted («). Thereafter, it is up to the analyst to determine 
whether or not to set up the control limits even though the user did not carry out the 
required amount of samples ( nj, Figure 3.16 portrays this PSMIS procedure when p is 
estimated. Once all this is accomplished, the control limits can be calculated by the 

software application (see Figure 3.17) and the analyst can proceed with actual sampling 
in the maimer described in Section 3.6.3. 
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Figure 3.16: Process that the PSMIS follows when the user estimates p 











3.6.2.3 PSMIS Process to Establish Control Limits 
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The equations for calculating the control limits of all control charts are integrated 
in the CHTFPM code as well and are depicted in Section 3.7. Therefore, such reckonings 
will be performed automatically by the software system. The CHTFPM MIS executes the 
respective computations-^enter line, LCL, and ULC, etc.^lepending on the type of 
chart selected. Once the user chooses to establish the control limits, the person needs to 
select the type of Shewhart chart that will represent the collected data. 

After the preliminary sampling has been terminated, the PSMIS offers the user 

four options. The analyst can view the control limits as well as the plotted points for any 

of the four attribute control charts-c, p, u or weighted chart-except the EWMA chart 

(review Section 3.7.7 for a clarification on this subject). By having the accessibility of 

viewing the plotted points of a control chart of the preliminary data, the analyst can 

observe if there are any out-of-conttol points (Section 3.8 elucidates how to deal with 
points out of control). 

A control chart is constructed graphically by plotting a point or characteristic that 
has been measured or computed from a sample (e.g. number of dendritics in subgroup 1) 
versus the corresponding sample number (e.g. subgroup 1). The CHTFPM MIS will plot 
the chart points according on the attribute chart that is selected. Therefore, even though 
the control charts values are plotted in subgroups, each Shewhart chart has a different 
way to calculate the subgroup values (refer to Section 3.7 for a detailed explanation of 
these characteristics). In addition, Figure 3.17 represents the manner in which the PSMIS 
establishes or calculates the center line and control limits in order to make them available 
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for the analyst to see. 



Figure 3.17: Flowchart for the calculation of the control limits. 

Additionally, at this stage of the PSMIS, a Pareto diagram is available, as shown 
in Figure 3.17. This implies that the number of dendritics observed during the 
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introductory samples will be tallied. The Pareto chart is an excellent tool for classifying 
process upset causes by ordering the most frequently observed dendritics from highest to 
lowest (see Section 3.6.4). Thus, the Pareto analysis is a useful tool for prioritizing 
process improvement effort (Kolarik, 1999). 

3.6.3 Actual Sampling Plan 

The same procedure used in the preliminary sampling scheme must be exactly 
followed to design the actual sampling plan. It is necessary that both the preliminary and 
the actual sampling plans have equal sample size; that is the same number of observations 
m each subgroup. Otherwise, the user will only be allowed by the PSMIS to view a u 
chart since this is the single control chart that does not carry the restriction of equal 
sample size (please read Sections 3.7.3 and 3.8.2 to comprehend this matter). Moreover, 
the actual samples are carried out after the preliminary observations because the 
CHTFPM MIS executes both sampling schemes separately. However, they are joined 
together by the PSMIS once the actual observations have been introduced into the 
software system. This signifies that the subgroup values and control limits obtained in the 
preliminary data set are plotted with the actual samples concurrently in the same graph. 

he CHTFPM MIS prompts the end-user to indicate the desired number of 
groups, number of subgroups in each group and samples per subgroup. The CHTFPM 
code takes these specifications and constructs a table where the arbitrary times will be 
placed, as shown in Figure 3.18. The sampling plan process is identical to the process of 
the random times for the preliminary samples. Once the preferred number of subgroups 
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and mspections per subgroup are specified, the software program offers the analyst two 
options to create a sampling scheme. 

The first choice the analyst has is to generate the random times necessary for each 
observation by means of the PSMIS (see Figure 3.18). If the user takes this course of 
action, the computer program will create arbitrary times and will place them in the 
spreadsheet or table previously fabricated. Additionally, just as the dendritic construction 
portion of the PSMIS allows the user to change or edit the dendritic list, the computer 
system also permits the analyst to modify the random times if these are not correct. By 
this, it is meant that in some occasions an arbitrary time may fall within an invalid range. 

Usmg agam as an illustration the example of the assembly line previously stated, 
it may be possible that a sampling time could be schedule at a period when the operators 
are programmed to have lunch. Consequently, only that random time(s) would have to be 

modified or regenerated to a different, but valid, time instead of generating once more the 
entire random times of the sampling plan. 

The second alternative the user has to produce random times is by using a 
programmable, random beeper or other method. If the analyst decides to pursue this 
route, the worksheet for the random times will remain empty so that the user can input 
the random beeper times manually at a later moment, hr addition, the evaluator would 
conduct an observation whenever the pager alarm goes off; however, the individual must 

notice and record the time, at which the observation was taken, so he/she can input that 
time afterward in the CHTFPM MIS. 
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Figure 3.18: Flowchart of actual sampling plan. 


After electing any of the two paths for generating arbitrary times, the person 
conducting the study can preview the sampling fotm-where dendritics observed are 
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documented-to verify that everything is correct. If there are mistakes, the end-user can 

go back and make any comcctions as necessary. On the contrary, if the sampling form is 

cotrect, it can be printed as a hard copy (view Figure 3.18) ; thus, observations can be 

recorded manually and then transfer or input into the computer pro^am as illustrated 
in Figure 3.19. 

3.6.4 Pareto Analysis 

The Pareto Analysis is an excellent tool for classifying process upset causes by 
ordering the most frequently observed dendritics from highest to lowest by means of a 
Pareto char or diagram. A Pareto chart is a pictorial representation of a frequency 
distribution for categorical data (Devore, 1995). A frequency distribution essentially 
provides a count of only Are number of observations of a particular characteristic or 
category. Each categoty represents a different type of nonconformity or dendritic. The 
categories are ordered so that the one with the largest frequency appears on the far left of 
diagram, then the category with the second largest frequency, and so on (Devore, 

1995). Therefore, a Pareto diagram is constructed using rectangles or bars whose heights 
are equivalent to the frequencies. 

The CHTFPM MIS calculates the cumulative frequency of the dendritics and 
arranges them from highest to lowest, so the Pareto diagram can be constructed to portray 
which dendritics occur more frequently compared to others. The rank ordering in the 
Pareto chart automatically isolates and focuses our attention on the most frequent cause 
or dendritics (Kolarik, 1999); thus, proactive measures can be taken more specifically for 
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accident prevention. 

Figure 3.19 shows in one of the steps of the process the calculation of the total 
frequency of each dendritic. This complete Pareto dia^am, which includes the incidences 
Of both preliminary and actual sampling plans, is only accessible under the ‘•Management 
Reports” option (see Section 3.8.1 for a description of tins feature). To view the control 
charts witt, the entire observation points plotted (preliminary plus actual samples), the 
same previous submenu has to be selected, which is under the “Edit a project” menu. 



Figure 3.19: Flowchart for calculating total dendritic frequency and entire chart values. 








3.7 Safety Control Charts Theory 
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A system or process operating under the presence of assignable causes is said to 
be out of control (Montgomery, 1996). An assignable cause is simply something that is 
not common to happen and that is wrong with the process. Assignable causes in the 
CHTFPM are the dendritics, or building blocks of hazards. To eliminate an assignable 
cause, the process must be fixed or repaired (Levinson and Tumbelty, 1997). Statistical 
process control is used to measure the tendency of assignable causes in a process-to 

determine if the process is becoming hazardous-, and control charts are employed 
extensively for this task (Wise and Fair, 1998). 

A control chart is constructed graphically by plotting a point or characteristic that 
has been measured or computed from a sample («* number of dendritics in subgroup 1) 
versus the corresponding sample number («* subgroup 1). The chart contains a center 
lute that represents the average value of the quality characteristic corresponding to the in- 
control state (Montgomery, 1996). Two outer horizontal lines, called the upper control 
limit (UCL) and the lower control limit (LCL), are also shown on the charts. These 

control limits are chosen so that if the process is in control, nearly all of the sample points 
will fall between them. 

The manner in which these limits are chosen is by selecting the type of control 
chart, thus a distribution, which would best represent the nature of process or system 
bemg analyzed. There are several different types of controls charts (refer to Section 
2.S.2.3). Each type of chart has different center lines and control limits. The Shewhart 
control charts are also called attribute charts; these charts are preferred in industry 
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because they are universally applicable, and there are three widely used attributes control 
charts in statistical process control (Wise and Fair, 1998). 

3.7.1 Control Chart for Nonconformities 

There are many practical situations in which it is prefetred to work directly with 
the number of defects or nonconfomtities (Levinson and Tumbelty, 1997). The chart that 
lends itself particularly well for this job in the CHTFPM is caUed the c chart or control 
chart for nonconformities. In process control, a nonconformity is a defect in an item or 
product. An item may have several quality characteristics that are examined 
simultaneously by the inspector. If the item does not confotm to standard on one or more 
of these characteristics, the item is classified as nonconforming (Montgomery, 1996); 
hence, nonconformities represent flaws or defects in a product. In the CHTFPM, the 
nonconformities or defects are the dendritics. If a system is said to be nonconforming, it 

means that the system is operating under the influence of unacceptable risks or hazards, 
which are originated from the dendritics. 

A criterion of the c chart is that each inspection unit (e.g. subgroup) must be of 

constant sample size. Moreover, this chart assumes that the occurrence of 

nonconformities, or dendritics, in inspection blocks of equal sample size is modeled by 

the Poisson distribution (Montgomery, 1996). Essentially, this requires that the number of 

opportunities or potential locations for dendritics be infinitely large and that the 

probability of occmrence of a dendritic at any location be small and constant (Grant and 
Leavenworth, 1996). 
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A c chart is constructed by plotting the number of dendritics or nonconformities 
m each subgroup. The parameters of the control chart for the number of nonconfotmities 
per inspection segment are as follows (Montgomery, 1996): 


Center Line = 



(3.4) 


UCL — c + 3 -y/c" 


(3.5) 


LCL = c -3VF 

(3.6) 

where 

i is used as a subgroup or sample index. 

c ‘ is the observed numbCT of defects (dendritics) in sample («,). 

the number of subgroups or samples taken in the preliminary set of data. 

c is the mean or average of nonconfotmities (dendritics) per subgroup in the 
preliminary set of data. 

The 3 is present in the control limit formula because the chart is based on three 
standard deviations (3<r) from the central value. Thus, the UCL and the LCL will have 
approximately 99.73% of all normal observations within their boundaries, since 3o 


means that approximately 99.73% of all observations should be within these Umits 

(Vuung, 1998). This 3n control limit on either side of the center line is commonly used to 

construct the control charts for work sampling, regardless of its particular use 
(Montgomery, 1996). 
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3.7.2 Control Chart for Fraction Nonconforming 

The control chart for fraction nonconforming is also known as the p chart. This 
chart relates to the fraction of nonconforming (defective) items produced by a process; 
hence, tire name of control chart for fraction nonconforming. Unlike the c chart that deals 
with the number of nonconformities observed per inspection entity, tire p chart works 
with the fraction nonconforming. In other words, the fraction nonconforming is defined 
as the ratio of the number of nonconforming items in a population to the total number of 
items in that population (Montgomery, 1996). The statistical principles underlying the 
control chart for fraction nonconforming are based on the binomial distribution. 

Suppose a production process is operating in a stable manner, such that the 
probability that a unit will not conform to specifications isp, and that successive runts 
produced are independent. Then if there are A nonconforming or defective items in 

sample r, the fraction nonconforming in the ith sample, which is the plotted subgroup 
value in the p chart, is computed as: 

p t = — — ~ mber °L observed defective items_ (dendntics) in sample i (m, ) 

n Sample size 0-7) 

where 

i is used as a subgroup or sample index. 

" IS the Sample si “- which ^Presents the total number of possible defective items 
(dendntics) in each sample or subgroup. 

The center line <p) and the control limits for the p chart are given by the 
following formulas (Montgomery, 1996); 



82 


XA 

Z Pi 


Center Line = p = — — 

_ 1=1 


mn 

m 

(3.8) 

UCL-p + 3^ J ~^ 


(3.9) 


LCL = p-3\P±tA 

V n (3.10) 

where 

m is the number of subgroups or samples taken in the preliminary sampling. 

p is the average of all the subgroup proportions of nonconforming items (dendritics) 
in the preliminary sampling. 

3.7.3 Control Chart for Average Nonconformities per Unit 

The third kind of control chart is called the control chart for average 

nonconformities per unit or u chart. This chart is useful in situations where the average 

mber of nonconformities per unit is a more convenient basis for process control (Wise 

and Fair, 1998); the u chart is designed to deal with this case A nonconforming item, as it 

was said earlier, is a uni. of product that does no. satisfy one or more of fire specifications 
for that product. 

Each specific pomt at which a specification is not satisfied results in a defect or 
nonconformity (Montgomery, 1996). Consequently, a nonconforming item will contain at 
least one nonconformity. Since a nonconforming product may have more than one 
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nonconformity, it is more suitable in some situations to deal with the average number of 
defects or nonconformities (dendritics) per inspection unit (Montgomery, 1996). 

The size of the inspection unit can be 1, 2,3 n items per sample. In the 

CHTFPM, the inspection unit size can be /, 2. 3, .... n observations per subgroup. This 
implies that the inspection unit cannot be greater than the subgroup or sample size, n, 

specified in either sampling plan: preliminary or actual. However, the recommended size 
of the inspection unit by the PSMIS is 1 (one). 

The u chart plots the average number of occurring nonconformities (dendritics) 
per inspection unit for each subgroup sampled. Similar to the c chart, the u chart is based 
on the fundamentals of the Poisson distribution (Montgomery, 1996). However, unlike 
the c and p chart, the u chart does not carry the restriction of equal sample size. In 
cumstances where sample sizes are not equal, the u chart is the proper chart to use. If u 
total nonconformities are found in sample i of n inspection units, then the number of 
nonconformities per inspection unit in a subgroup is: 

u t =^-= ? ^™ber of observed defects (dendritics) in sample i(m ) 

«, Number of inspection units in sample i (m i ) 

where 

i is used as a subgroup or sample index. 

n . - dumber of conducted observation s_ in sample^ i (m t ) 

Size of inspection unit (3.12) 

The parameters of the control chart for the average number of nonconformities per unit 
are the following (Montgomery, 1996): 
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(3-13) 

(3-14) 
(3-15) 

3.7.4 Weighted Control Chart 

Although the three previously described charts are the most commonly used 
Shewhart control charts in practice, there is still one more attribute chart that belongs to 
this group: 4e weighted chart. The aspect of adding weights to the dendritics or 
nonconformities, as it was talked about before, can help identify the more severe 
problems from the less serious. Moreover, depending on the nature and severity of the 
dendritics, it is quite possible for a unit (system) to contain several nonconformities and 

not be classified as nonconforming (Montgomery, 1996). For this reason, the weighted 
chart is a handy tool in cases of this sort. 

As an example, suppose the manufactured items are personal computers. Each 
unit could have one or more very minor flaws in the cabinet finish and since these flaws 
do not seriously affect the unit's functional operation, it could be classified as 
conforming. However, if there are severe defects or too many of these flaws, the personal 
computer should be classified as nonconforming, since the flaws would be very 



Center Line = u = — 



UCL = w+3 
LCL = u — 3 
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noticeable to the customer and might affect the sale of the unit. In addition, this chart is 

also assumed to be well modeled by a Poisson distribution. Mathematically, u is the total 

number of demerits in a sample divided by the sample size, which is equal for every 
subgroup: 


n 



n n 


(3.16) 


where 

i is used as a subgroup or sample index. 

" 18 the Sample size ’ which resents the number of observations per subgroup. 
A is the total number of demerits in sample i (mi). 

d h is described in Equation 3.1 (Section 3.5). 


Since u is a linear combination of independent Poisson random variables, it can be 
plotted on a control chart with the following parameters (Montgomery, 1996): 

Center Line = *7 = 10017, + 50 u B +10 u c + u D 

UCL = u + 3a 


LCL —u— 3a u 
where 


(3.17) 

(3.18) 

(3.19) 


<J U — [(100) 2 +(50 ) 2 u b +(10 ) 2 u c +u d Y 2 ^3 2Q) 

In the preceding equations, u A ,u B ,u c , and 17, represent the average number of Class A, 
Class B, Class C, and Class D dendritics, respectively, per subgroup. These values are 
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obtained from the analysis of preliminary data, taken when the process is supposedly 
operating in control. For example, to find the value of u A , the following 

±c u 

u - id 

u iA 

n (3.21) 

m 

Z.“u 

u A = 

m (3.22) 

where 

h is used as an observation index. 

ChA is the number of defects (dendritics) occurred in observation h (n h ). 
m is the number of subgroups or samples taken in the preliminary study. 

3.7.5 EWMA Chart 

The exponentially weighted moving average (EWMA) control chart is a good 
alternative to the Shewhart control chart when small shifts in the process mean, in the 
order of 1.5a or less, need to be detected (Ng and Case, 1989). Like Shewhart control 
charts, the EWMA control chart is easy to implement and interpret (Lucas and Saccucci, 
1990). Consider a process from which the sequence of quality measurements x,, x,, ... r, 
is taken in each subgroup, assuming that r,, r 2 , . . . r, are i.i.d. Poisson random variables 
with mean M - When the process is in control, (the specified or target value). To 

momtor the process, an EWMA chart can be applied. It is based on the subsequent 
statistic (Montgomery, 1996): 
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The starting value, Z. (required with the first sample at / = 1), is often taken to be 
the target value (*,). If*, is not known, the average of the subgroups in the preliminary 
samples is used as the starting value of the EWMA, so Z. = x ; thus, Z„ = *, = j . The x 

stands for any of Are c.poru Shewhart oharts (c.por if, respectively). Likewise, rhex, 
m Equation 3.25 refers to the subgroup value of any of the c, p or u attribute control 
charts. This connotes that the EWMA char, is constructed based on the type of Shewhart 
(attribute) control char, selected. The process is considered to be ou, of control and action 
should be taken whenever Z, falls ourside the range of the control limits (Ng and Case, 
1989). Therefore, the EWMA control chart would be constructed by plotting Z, versus 

the sample number i. The center line and control limits for the EWMA control chart are 
as follows (Borror et al., 1998): 


UCL = Mo+L y 


Center Line = t 

Uo 

UCL= K -d 


here, 



(3.24) 

(3.25) 

(3.26) 


i is used as a subgroup or sample index. 

L is the distance of the control limits from the center line in multiples of the standard 
deviation (a). 


& is the weighting factor (sometimes called weight). 
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The design factors of the EWMA control chart are L and 1 which give the desired 

in-control ARL. The average run length (ARL) provides assistance in choosing what 

these two values should be worth. The ARL of a control charting procedure is defined as 

the expected number of sampling stages until an out of control condition is raised (Grant 

and Leavenworth, 1996). When a process is in control, a large ARL is desired. On the 

other hand, when a shift has occmred and it is necessary to detect the shift as quickly as 

possible it is desirable to have a small ARL for an out-of-control process (Botror e< ai, 
1998). 


The ARL is used to determine the values for the factors of the EWMA control 
chart, L and A There have been several theoretical studies of the ARL properties of the 
EWMA control chart (Montgomery, 1996). These studies provide average run length 
tables or graphs for a range of values of L and A. The average run length performance for 
several EWMA control schemes is shown in Table 3.2. 


Table 3.2: Average run lengths for several EWMA control schemes (Lucas and Sacucci, 
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For example, suppose an in control ARL of 500 is desired (the control chart will 
plot 500 points before a “false alarm” out of control point is plotted); in Table 3.2, the 
various values for L and X will give in control ARL’s of 500. Additionally, it is also 
desired to detect a shift in the safety mean of 1.00 (one standard deviation, a) above or 
below the control limits. Using the values for L and X in column one, these numbers 
should be 3.054 and 0.40, respectively. Therefore, if the system is in control the ARL 0 is 
500 and for detecting a variation in the process mean of la the ARLi is 14.3 (it will take 
roughly 15 subgroups to detect the shift with a point outside of the control limits). 

In general, values of X in the interval 0.05 < X < 0.25 work well in practice, with 

X = 0.05, A = 0.10, and A = 0.20 being popular choices (Montgomery, 1996). A good rule 

of thumb is to use smaller values of X to detect smaller shifts. Further, L = 3 (the usual 3 

sigma, 3a, control limits) works reasonably well, particularly with the larger value of X 

(0.40). However, when X is small, X <0.1, there is an advantage in reducing the width of 

the limits by using a value of L between 2.6 and 2.8 approximately, according to 
Montgomery (1996). 

It is important to point out that when constructing an EWMA chart in the PSMIS, 
the person first needs to select a type of Shewhart chart (c, p or „). The reason for this is 
because the control limits and the plotted points of the EWMA control chart are 
computed based on the center line and subgroup values, respectively, of the selected 
attribute chart. This means that the PSMIS creates a c, p or « based EWMA chart, 
dependmg on the analyst’s selection. For instance, a c based EWMA control chart cannot 
be plotted using the center line and sample values from the p or u chart. The c based 
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EWMA chart has to be created using the using the mean and subgroup values of the c 
control chart, like comparing apples with apples and oranges with oranges. Moreover, in 
order to define the control limits for the EWMA chart, the PSM1S will ask the user to 
indicate the L and X factors, (notice Figure 3.22). The values of these factors are depicted 

m Table 3.2. The software program has a help option that provides suggestions to the 
analyst about commonly used values for these factors. 


3.7.6 Combined Shewhart— EWMA Control Chart 

As mentioned earlier, the EWMA performs well detecting small shifts but does 
not react to large shifts as quickly as the Shewhart control chart. A good way to further 
improve the sensitivity of the control procedure to large shifts without sacrificing the 
ability to detect small shifts quickly is to combine a Shewhart control chart with the 
EWMA (Borror « al, 1998). The combined Shewhart-EWMA control procedure is 
effective against both large and small shifts. This refers that it is possible to plot both the 
Shewhart chart and the EWMA chart on the same graph along with the associated control 
limits for each chart (Hunter, 1986). This produces one chart for the combined control 
procedure which analysts quickly become adept at interpreting. 

Of course, the use of either the Shewhart control charts or the EWMA control 
chart, or both, in CHTFPM depends upon the nature of the system being analyzed and the 
desired protection from unwanted risks and hazards. If the system under observation has 
a good track record regarding safety and is relatively stable then, for simplicity, one of 
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the Shewhart control charts described before will suffice. However, if small shifts in the 
overall safety mean cause system safety to degrade to unacceptable levels, the EWMA 
control chart should be used. It is recommended that if detecting small and large shifts is 
desirable, both the Shewhart and EWMA control chart should be used concurrently. 

3.8 Decision Support Structure of the PSMIS 

The CHTFPM MIS aids the system analyst in making decisions when dealing 
with especial issues in a given system or process. These unique subjects are given below: 

• Points out-of-control 

• Outliers 

• Assignable causes 

• Trend analysis 

• Pattern recognition , 

It is important to highlight at this point in time that most of the whole process of creating 
a project is iterative. This denotes that the user can update, change or erase previous 
information (wherever the PSMIS allows it) at any moment; consequently, the results 
previously calculated will be recomputed or changed. Most important, although the 
PSMIS offers recommendations to the system evaluator, the analyst can choose to do 
whatever he/she deems more convenient or appropriate. 

If a plotted point in a control chart is outside the control limits (out of control), the 
system assessor can trace that observation to investigate the reason of that matter. If the 
analyst finds out that the cause of such outcome is insignificant, then the person can treat 
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that observation point as an outlier, which means that the process or system is not 
becoming hazardous. If this is the case, the PSMIS will suggest the user to erase the 
information (recorded dendritic occurrences) in that particular subgroup and continue 
using the same control limits for future samples. 

On the contrary, if that same point turns out to be an assignable cause (dendritic) 
that can jeopardize the safety integrity of the system, then the system evaluator has to 
take corrective action to fix the problem that caused such hazardous condition. Once the 
fault has been repaired, the analyst should re-establish the control chart parameters: 
center line, UCL and LCL. That is, new control limits must be employed since the 
process is no longer operating under the presence of hazards. 

This connotes that the same procedure followed to obtain the control boundaries 
for the first time must be repeated. This denotes that the previous points will not be 
plotted in the control chart with the new control parameters. For this reason, the PSMIS 
will propose the user to create a new project in order to preserve the previously 
documented data. To avoid re-typing the same information of the original study, the user 
can duplicate the first project and save the new one with a different name , and he or she 
will just have to delete the observed dendritics that were registered in the sampling 
sheets. After that, the analyst can use the same preliminary sampling plan as the first one 
(original) or create a new one and begin the process of conducting preliminary samples to 
establish the new control limits. Once this has been done, the user can proceed to perform 

the actual sampling, which will have the latest control limits obtained from the recent 
preliminary data set. 
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Trending and pattern recognition are insightful tools to make inferences on the 
safety status of the system under observation. These methods provide the data source for 
predictive safety. These approaches are the most common used for data evaluation when 
applying condition monitoring. The failure infotmation associated with a system is used 
to supply the limits that the trend and pattern recognition will be measured against and 
what can be called an alarm limit value (Dicquemare, 1997). 

If the points in a control chart are truly random, an even distribution of the points 

is expected above and below the centerline. However, a control chart may indicate an 

out-of-control condition either when one or more points fall beyond the control limits or 

when the plotted points exhibit some nonrandom pattern or peculiar behavior, as shown 
in Figure 3.20. 



Figure 3.20: Assignable cause patterns 


on a control chart (Wise and Fair, 1998) 
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The PSMIS will prompt the analyst to consider the following simple rules 
recommended by Wise and Fair (1998) to reco^ze or detect an out-of-control condition; 
hence, take corrective and preventative measures: 

1 . Points beyond the control limits. 

2 . Eight or more consecutive points either above or below the center line. 

3. Four out of five consecutive points in or beyond the 2cr limits (referred to in Figure 
3.20 as Zone B). 

4. Six points or more in a row steadily increasing or decreasing. 

5. Two out of three consecutive points in the 3o region (referred to in Figure 3.20 as 
Zone A). 

3.8.1 Management Reports of the PSMIS 

The management reports are generated from all the information that was ineluded 

in the project. In other words, the PHA, FMEA, bamer analysis, dendritic list, control 

charts, etc. can be viewed in a defined format or in the form of a report. Since everything 

was already calculated (UCL, LCL, dendritics frequency, e,c.) by the CHTFPM code, tire 

program easily extracts the requested information and displays it in a report fashion, 

which can be printed or viewed on the screen. Figures 3.21 and 3.22 illustrate the 
flowchart of this process. 

Additionally, to display the control charts, the individual has to indicate which 
chart to view: Shewhart, EWMA or the combined Shewhart-EWMA control chart, as 
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depicted in Figure 3.22. Furthermore, the end-user can copy the tables, charts or diagrams 
and paste them in a different file or document. 



Figure 3.21: Flowchart of management reports (part 1). 
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Some parts of the project elaboration, as it was said just earlier, are iterative; 
therefore, the analyst can make the permitted changes to a project a. any point. If this 
happens, the existing results associated with the new modifications will be affected 
accordingly, but the software application will warn the analyst with regards to the 
alterations that are about to take place and will prompt him/her for its consent. If the 

individual retracts from its choice, then the changes wiU not be saved and the current 
information will remain the same. 

A useful feature of the PSMIS is that it offers the user the ability to view the 
collected data in any type of Shewhart control chart if he or she wants to as it is notice in 
Figures 3.21 and 3.22. Nevertheless, to realize this operation, the system analyst needs to 
go back to the point where the control limits are established, specifically where the 
person selects the type of attribute chart (observe Figure 3.17). To return or go to a 
locality of interest in the program, the user can simply click on the respective buttons to 
continue or advance in the project process until it arrives to the desired location. 

3.8.2 Help Screens and Decision Support 

The PSMIS will aid or guide the user on how to fill out forms and fields by 
providing assistance and advice through help screens. The sections contained in this 
chapter include explanations and suggestions to perform certain tasks in the computer 
program. All those clarifications or steps that describe how to utilize a function of the 
software are summarized in help windows, which are available to the analyst. Many of 
these help dialogue boxes are recommendations to the end-user, so that optimum results 
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can be obtained, like in the case of deciding what type of control chart to use. In this 
situation the CHTFPM MIS will offer the user the references explained in Table 3.3 in 
the form of a help screen that would be accessible to the system analyst. However, the 
individual always has the liberty of taking the course of action that is more convenient 
based on the desired results, system being considered and personal judgment. 


Table 3.3: Summary of control chart applications in the CHTFPM (Quintana et al 



Ratio of 

nonconforming items 
in a population to the 
total number of items 
in that population 



m mss 

p control chart 

Keiauve ease of 
implementation, 
calculations, and 
easy to explain 

Does not detect 
small shifts 
(<1.5a) well 

Use to describe 
dendritic frequency 
in relation to 
maximum possible 

c control chart 

Counts the total 
number of 
nonconformities in a 
unit or inspection 
sample 

Relative ease of 
implementation, 
calculations, and. 
easy to explain 

Does not detect 
small shifts 
(<1.5a) well 

occurrences 
Use when a count 
of dendritics is 
desired 

u control chart 

Tracks the average 
number of 
nonconformities per 
unit 

Relative ease of 
implementation, 
calculations, and 
easy to explain 

Does not detect 
small shifts 
(<1.5 ct) well 

Use when the 
sample size is not 
constant 

Weighted c 
control chart 

Classifies defects 
according to 
seriousness 

Signals according 
to severest 
dendritics 

Incorrect 
classification of 
defect could 
cause false 
alarms 

Applicable when 
some dendritics are 
more important 
than others 

EWMA 
control chart 

Use when detecting 
small shifts (1.5a or 
less) is desired 

Detects small 
shifts better than 
Shewhart control 
charts 

Does not detect 
large shifts as 
well as Shewhart 
control charts 

Applicable when 
small shifts in the 
safety mean raise 
unacceptable safety 
risks 

Combined 
Shewhart- 
EWMA 
control chart 

Use when both small 
and large shifts need 
to be detected 

Provides analysis 
to detect both large 
and small shifts 

Short time period 
necessary for 
analyst to 
become adept at 
interpreting chart 

Use if EWMA 
control chart is 
being used to 
detect small shifts 


The PSMIS not only provides warnings to the analyst in order to prevent 
mistakes, but is also offers the user recommendations in decision making so that he or she 
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can understand and interpret the results without difficulty. For instance, the CHTFPM 
MIS offers the user suggestions about which control chart or distribution is more suitable 
for the type of data collected, as the ones described in Table 3.3 which elucidates the 
appropnateness of each control chart and its recommended applications). The software 
package does this by means of informing the user what kind of control chart is more 
convenient according to the response being sought. It is up to the system assessor to 

determine which control chart would be most advantageous to implement depending on 
the circumstances of the system. 

An important aid that the PSMIS provides to the user is when an inspection or 
observation screen— where the dendritic occurrences are typed in-is not filled out on 
purpose maybe because no dendritics occurred. When this happens, the PSMIS/CHTFPM 
MIS will assume that such observation was not conducted and will affect the subgroup 
size, hence various calculations and results. In spite of this, the CHTFPM MIS will 
prevent the person from committing such mistake by alert him/her that there are some 
blank observations. Additionally, the warning message will say how to avoid this 
problem. It will tell the user to simply place a 0 (zero) in any of the boxes that are next to 
every dendritic in the observation window that was empty. By doing this, the software 
program will know that no dendritics were observed in that specific inspection and will 
count that observation toward the necessary computations. 

If an observation number (screen) was skipped or not filled in either intentionally 
or accidentally, the PSMIS will notify the analyst of this issue by displaying the message 
box previously mentioned. Nonetheless, the user can choose to leave unfilled such 
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inspection number. If this is the case, the CHTFPM computer system will inform the user 
with a second warning message that the only available control chart will be u chart 
because the subgroups vary in sample size. In other words, to view the control charts 
other than the u chart, the size of each subgroup have to be the same (review Section 3.7 
entirely for sample size restriction). If the analyst does not want to be restricted only to 
the u control chart, then the vacant observation screens have to be filled out. 


Chapter 4 


4. IMPLEMENTATION AND EVALUATION OF THE PSMIS 

This chapter describes the implementation as well as the evaluation of the PSMIS 
or CHTFPM MIS. As was explained in Section 1.5, two previously NASA validated 
projects served as the platform to implement the PSMIS. The results from those two 
predictive safety studies were compared with the outcomes obtained using the CHTFPM 
MIS to determine the reliability of the results given by the software application. 

Moreover, the time and the manpower (persons) required to finish each study 
manually was measured against the time and manpower necessary to complete those 
same projects when the CHTFPM computer program was utilized. Therefore, to evaluate 
the reliability and efficiency of this predictive safety software package, three key factors 
were considered: accuracy of results as well as manpower and time, respectively. 


4.1 Introduction 

The implementation and evaluation of the PSMIS is outlined in Section 4.2, while 
Section 4.3 provides a point by point comparison of the construction of dendritics among 
the manual and PSMIS approach. Section 4.4 describes the creation of the sampling sheet 
from the manual and PSMIS perspective. In Section 4.5, the development of the sampling 
plan in the PSMIS is elucidated, followed by Section 4.6 that reveals how the PSMIS 
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depicts the statistical significance for a project. Section 4.7 presents the types of charts 
created by the PSMIS, and Section 4.8 shows the reliability and efficiency of the PSMIS. 

4.2 Implementation and Evaluation Synopsis of the PSMIS 

The implementation and evaluation of the PSMIS can be summarized in the 
following steps: 

1 . Development of dendritic elements. 

2. Design sampling sheet. 

3. Determine rational subgroups, sample size, and sampling plan. 

4. Demonstrate statistical significance. 

5. Establish control limits and control charts. 

6. Attest reliability and efficiency of the PSMIS. 

The above steps were used to carry out the implementation of the CHTFPM MTS 
or PSMIS using the selected case studies (see Section 1.5). The systems under 
consideration were the promoted combustion testing chamber at the Marshall Space 

Flight Center (MSFC) and the hoisting operation of four high-pressure gas tanks 
(HPGTs) at Kennedy Space Center (KSC). 

The hazards involved in the promoted combustion testing are several. For 
instance, heavy parts of the test apparatus are moved on a regular basis by the operators 
and if not handled with caution, it could cause an injury (e.g. foot injury if a heavy 
component falls on top of the operator’s foot). Testing involves burning materials in an 
oxygen-enriched environment, thus introducing the hazards associated with explosions. 
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There could be a bum hazard to the operator that could occur during sample unloading 
because of molten metal slag. Sample preparation technicians frequently handle cleaning 
solvents that require personal protective equipment. 

Similarly, the hoisting operation and testing of the HPGTs at KSC entails hazards 
related to cumulative trauma disorders such as back or shoulder injuries due to reaching 
when hoisting the tanks. In addition, the operators work with pressurized gas cylinders 
contaimng oxygen and nitrogen, so if personnel mishandles or leans heavily on the tanks, 

it could release an explosion. Hence, workem are exposed to numerous hazards of 
different kinds. 

The CHTFPM MIS has two basic features, which are namely the construction of 
dendritics, which originate the hazards, of a system and the development of the sampling 
study to be conducted in order to detect the presence those dendritics. Based on these two 
qualities, the procedure for implementation of the CHTFPM MIS is described in the 
following sections which are elaborated using the case studies described in Section 1.5. 

4.3 Development of Dendritic Elements 

The dendritics for the promoted combustion testing operations at MSFC as well as 
the dendritic elements for the testing, preparation and hoisting operation of the HPGTs at 
KSC are developed in the following subsections. Determination of the conditions leading 
to hazards, the dendritics, is a major step in the development of a project in the PSMIS. 

The dendritic focus is on human interaction with the system, as it pertains to both 
industrial scenarios. Consultation with system engineers and operators, allowed for the 
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refinement of hazard criterion. Understanding the substructure of the systems under study 
is essential to recognize possible hazards, thus allowed for the inception of dendritic 
construction, namely the preliminary hazard analysis. 


4.3.1 Preliminary Hazard Analysis 


Dendritics are built in part by the fabrication of the Preliminary Hazard Analysis 
(PHA), which aids the analyst in identifying and evaluating hazards as well as the safety 
design and operations requirements needed to maintain system safety. The PHA is 
performed to provide an initial risk assessment of a system. It is based on the best 
available data, including mishap data from similar systems. Design controls and other 
actions needed to eliminate or control the hazard(s) should be considered or documented. 


Hazardous 

Condition 

Hazard 

Cause 

■m 

Safety/Engineering 

Requirements 

Hazard Elimination/ 

txpireu can oration 
(gauge, transducer, 
etc.) 

Human error 
(scheduling) 

Loss of confidence 
in component 
indication 

Meet minimum calibration 
requirements as specified by 
manufacturer 

Calibration schedule 
reviews and audits 


(a) 


Preliminary Hazard Analysis 


Project ID jMIKEC | Date [Tuesday, May 13, 2003 ~ 
Project name j Promoted Com bustion Tesrtnq " ~ 

name [Mchaei Garnet 


Description | The system is the promoted combustion testing chamber 
i at the Material Combustion Research Faclty located on 
| Marshal Space Fight Center. 


Go to 
FMEA 


Expired Caibratton (gauge, 
transducer, etc.). 

Kiman error (scheduling). 

Loss of confidence in 
component indicator. 

Reooiremetns 

jMeet minimum caibratton j 

recrements as specified j 

fay manufacturer. j 

— — 



i 

1 — i 


Hazard ESminatton/Contral 
Provisions 


(b) 


Figure 4.1: Comparison between the (a) manual and (b) PSMIS approach for the PHA 
forms of the MSPC case study. 
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Two PHAs were performed manually, one for the MSFC study (Appendix A 
shows the entire PHA of this project) and the other for the KSC case scenario (see 
Appendix H for the entire PHA of this project). Additionally, the corresponding PHAs 
were built using the PSMIS. Figure 4.1 depicts the comparison between a portion of the 
resulting PHA for the MSFC project by applying the two approaches: manually and via 

CHTFPM MIS. In the same way, Figure 4.2 portrays the contrast among two segments of 
the PHA, accordingly, for the KSC study. 


Hazardous 

Conditions 

Hazard 

Cause 

Hazard Effect 

Safety/ 

Engineering 

Requirements 

Hazard Elimination 
Control Provisions 

1 . Non-hazard proof 
electrical equipment 

1 

Human Error 
(Failure to 
follow SOP) 

Fire/Explosion 
resulting in injury 
or death to 
personal and loss 
of or damage to 
flight hardware, 
Ground Support 
Equipment (GSE), 
and facility. 

S ' 

Lock out and tag out 
all non-hazard proof 
non-electrical 
equipment 

High Pressure Gas Tanks 
test work authorization 
procedures (WAP) contain 
steps requiring a walk down 
to verify that all electrical 
equipment has been locked 
out and tagged. 


(a) 





Project ID fSPRQJ j 

Project name [Senior Project 

oace j Tuesday, May 13, 2003 

I Description 

_ J 

The Appication of a Contnuous Hazard TrackTo and 
Fafcjre Predction Methodology. 


Analyst name [Wavier Avalos 

— 

1 




Hazardous Conation 


Hazard Cause 


1. Non-hazard proof 
electrical equipment 

Human Error failure to 
follow SOP) 

Fke^xplosion resulting m 
injury or death to personal 
and loss of or damage to 

FtaMryngtre 

Lock out and tag out all non- 
hazard proof non-electrlcal 
iequoment 

Provisions 

High Pressure Gas Tanks fij 

test work authorization 5™ 


J 





(b) 

Figure 4.2: Comparison between the (a) manual and (b) PSMIS approach for the PHA 
forms of the KSC case study. 


Notice how the two PHAs done by hand (using a word processor program) vary in 
format; this is because the analysts involved in the distinct projects have dissimilar 
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interests or appeals. On the contrary, the PHAs created by the PSMIS have consistency 
throughout. Furthermore, the portions of the PHAs of the two studies are exact replicas of 
the original analyses forms; this signifies that no modifications have been made to their 
appearance at the time of copying them to this project Ibis is also the case for the FMEA 
and barrier analysis which are presented next. 


4.3.2 Failure Mode and Effect Analysis 

The PHA, by granting a basic depiction of the hazards and the subsequent safety 
design criterion thereof, facilitates the second tool used in dendritic derivation: the failure 
mode and effect analysis (FMEA). The FMEA is constructed based on the results 
obtained in the PHA. The FMEA is defined as a bottom-up method of identifying the 
failure modes of a system and deteimining the effects on the next higher level. Thereby 
the FMEA form in the PSMIS contains, among others, three fields (or boxes) entitled 
“Local Effects,” “Next Higher Level,” and “End Effects” since there can be more than 
one effect caused by a failure. The derived FMEAs (for both projects) consider 
human/machine interaction and the possible consequences of such interaction 

It is important to mention that there are several techniques to construct an FMEA, 
but they are all similar in the sense that they include the same essential informa tion 
(fields or headings). Basically, the only variation among the various techniques is that the 
titles of the fields are arranged in a distinct way. The following figures show fractions of 
the FMEA for both the MSFC and KSC safety studies with their respective FMEA forms 
created by the CHTFPM MIS (Appendix B and I give the full FMEA for the MSFC and 
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KSC project, respectively). The FMEA for the MSFC case study is different from the one 
for the KSC industrial scenario; moreover, these two FMEA fonns are dissimilar from 
the one that the PSMIS utilizes. Therefore, Figures 4.3 and 4.4 illustrate the distinctions 
between three types of FMEA forms. However, i, is fundamental to remember that the 
FMEAs of each project are an identical copy of the original analyses. 
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E. Calibrate 
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/_ \ 
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equipment 
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operation 
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component failure, 
system failure 

3 

□ Possible failure 
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□ Possible factor 
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life expectancy 


(a) 


Prolert ID frWEC | Date [Tuesday, Hay 13, 2003 ' 


Failure M ode Effect Analysis 


Project name [Promoted Cor^ donT^o" 
Ariaiyst name | Mlchaei CameF 


Description The system is the promoted combustor testtiQ 
chamber at the Material Combustion Reseydi 
Fadty located on Marshal Space Fitf* Center. 


Failure to caltorate 
equipment by due 
date / scheduling, 

Calbrattan 

technician 
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cafhraflm rtf 

Local Effects 
[Loss of confidence 
|b equipment 
Indication/ 

inrwatino 

Next Higher Level 
Possble failure 
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- 

j 


Include minor to 



(b) 

Figure 4.3: Comparison between the (a) manual and (b) PSMIS approach for the FMEA 
iorms of the MSFC case study. 


In some boxes, which are the fields, of the FMEA forms created by the CHTFPM 
MIS, the text does not fully fit or is not completely visible. Nonetheless, each box has a 
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scroll bar that appears in the field when the cursor is in it, thus enabling the user to view 
the entire comment in that area or topic. 


Transport 
Dxygen from 
PRUAto 
3PGT 


[ignition [Fire/Explosion Striking a valve 
esulting in injury or body just 
leath to personal downstream of the 
ind loss of or control element of 
ge to flight the valve can cause 
dware, Ground Particulate Inpact 
>upport Equipment ignition caused by 
GSE), and facility, the exposure of un- 
oxidized metal 

surfaces. 

(a) 



Five 10 Micror 
filters remove 
particulates. 


Continue to use five 10 
Micron filters remove 
particulates. 



Figure 4.4: Comparison between the (a) manual and (b) PSMIS 
forms of the KSC case study. 


approach for the FMEA 


It can be clearly seen that the FMEAs produced by the PSMIS are not precise 
duplicates of the manual forms, as it was explained earlier. However, the same 
information contained in the original FMEAs is also comprised in the FMEA forms 
developed by the PSMIS, respectively. This is particularly true because the same topics, 
hence the same information, are incorporated in the FMEA forms of the CHTFPM MIS, 
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correspondingly. The slight disparity is just in the order or fashion that the fields are 
structured in each type of FMEA. 


4.3.3 Barrier Analysis 


The two complete barrier analyses for the MSFC and KSC case studies are 
depicted in Appendix C and J, correspondingly. The barrier analyses were performed on 
several hazards not identified on the PHA and on the FMEA. Especially those hazards 
pertaining to humans were included in these analyses since this type of analysis works 
exceptionally well when analyzing human factors affecting system safety or system 
components jeopardizing human safety. Again, a section of the barrier analyses of both 
projects are shown along with their concomitant PSMIS analyses forms in Figure 4.5 and 
4.6 for the MSFC and KSC project, respectively. 




Figure 4.5: 


Comparison between the (a) manual and (b) PSMIS 
analysis forms of the MSFC case study. 


approach for the barrier 
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All personnel exposed to GOX leaks shall remain 
isolated from ignition sources for at least 30 min. 


Human Barrier 


Human Failure 


(a) 



(b) 


Figure 4.6: Comparison between the (a) manual and (b) PSMIS approach for the barrier 
analysis forms of the KSC case study. 


4.3.4 Dendritic Construction 

The last step in the construction of dendritics consists of using the completed 
PHA, FMEA and barrier analysis to obtain a final list of conditions that may become 
hazardous. These conditions are known as dendritic elements or just dendritics. After 
reviewing each item m the PHA, FMEA and the barrier analysis, a preliminary dendritic 
list was formed depicting possible occurrences that may result in system failure or 
accidents. Afterward, the list is revised to check for any repeating or similar elements and 
to rephrase any items if necessary in order to arrive to the final list of dendritics. The 
dendritic roster is a useful tool that allows system personnel to determine the 
behaviors/actions that could cause potential hazards, which could lead to accidents or 
failures, in the future. Figures 4.7 and 4.8 represent a portion of the dendritic roll for the 
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MSFC and KSC case studies, respectively, in comparison with the lists made by the 

CHTFPM MIS, accordingly. Refer to Table 4.1 and Appendix K for the whole dendritic 
list of the MSFC and KSC project, correspondingly. 
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Tuesday, May 13, 2003 
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chamber at the Material Combustion Research Facility 
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Figure 4.7: 


??^ nSOn between the (a) manual and (b) PSMIS dendritic 
MSFC case study. 


list of the 
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. Protective coveringHskew/lealS 

~ ~ St - r ~ .? 1 ^ ntatl0n callbration n °t d one on regular scheduled intervals 
Hose/tubing in high-traffic area. - 

_Personnel not wearing proper Personal Protec tive Eouinm<=>nt 

Over pressurization of HPGTs. : 

Under pressurization of HPGTs. • 

Flow rates exceed preset limits. 

Temperature exceeds preset limits. 

General cleanliness. _ 

(a) 



Dendritics List 


Project Number: |SPRQ 3 
Project Name: |Senior Project 


Tuesday, May 13, 2003 


Description: [the Application of a Continuous Hazard Tracking and 
Failure Prediction Methodology. 

Analist: jjavier Avaloi " 
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Create/Reset 

Dendritics 


Weight 


Figure 4.8: Comparison between the (a) manual and (b) PSMIS dendritic list of the KSC 
case study. 


The PSMIS creates the dendritic list automatically by pressing the “Import 
Dendritics” button (see Section 3.5). Additionally, the dendritic list form also has a scroll 
bar to view the whole roster of dendritics if they are not visible in the space provided. 





4.4 Design of the Sampling Sheet 
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The sampling carried out in CHTFPM is used to check for the presence or 
absence of the given conditions, which are the dendritics. However, the sampling sheet is 
designed so that it provides the analyst a closer look at the behavior of the system. That 
is, it provides the tally marks for the occurrence of each dendritic so that a Pareto analysis 
can indicate which one is most significant and causing the system to behave in a 
deteriorating manner. This cannot be considered statistically significant, but it provides 
an indication of which is the dendritic influencing the system to become hazardous. A 

portion of the manual sampling sheet for the promoted combustion testing (MSFC case 
study) is shown below in Figure 4.9. 





Failure to adhere to th e SOP 

Incorrect procedure used to don latex glov es 

_ Same surface contact (bare hand and latex glo ve) 

Personnel wearing dirty latex gloves 

Trash and combustibles not in fire retardant 
containers 

Test area n ot in “limited access control” 

Test cell used for storage ~~ 

Personnel limitations for a test cell exceeded 
(maximu m of 5 people allowed in test cell areal 
Personnel not wearing safety shoes in test area or 
while moving heavy objects 


.; .is*' L, 1 v. ,o*:v. 7 

-;-rT r , 


COMMENTS: 


Figure 4.9: Sampling sheet created manually for the MSFC project. 





Figure 4.10: Sampling sheet developed by the PSMIS for the MSFC project. 
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In the sampling sheet for the MSFC study that was done manually, the analyst is 
required to note down the time and day when the observations) was conducted. On the 
contrary, the sampling sheet elaborated by the PSMIS (Figure 4.10) includes the date 
when it was printed and the time when the observation should be conducted, so the 
analyst does not have to record such information. Therefore, it is strongly recommended 
to conduct the necessary observations on the same day the sampling sheet was printed, so 
that the printed date will match the observation date. 


Similarly, in the sampling sheet for the KSC research study, the system evaluator 
has to write down the day and time when the observation will be conducted. Furthermore, 
this sampling form (Figure 4.11) does not have a space for commentaries, while the 

survey sheet constmcted by the CHTFPM MIS (Figure 4.12) does incorporate an area for 
comments at the bottom of the page. 


1 


■■ 


Pi 







2 

instrumentation calibration not done on regular scheduled 
intervals. 







3 

Hose/tubing in hiah-traffic area 







4 

Personnel not wearing proper Personal Protective 
Equipment. 







5 

Over pressurization of HPGTs. 







6 

Under pressurization of HPGTs. 







7 

Flow rates exceed preset limits. 1 







8 

Temperature exceeds preset limits. 







9 

General cleanliness. 








Figure 4.11 : Sampling sheet created manually for the KSC project. 





Figure 4.12: Sampling sheet developed by the PSMIS for the KSC project. 
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4.5 Rational Subgroups, Sample Size and Sampling Plan 

According to the rationale presented in Section 3.6.1, time order was the logical 
basis for the data collection in the two studies used to implement the PSMIS. The 
promoted combustion testing operations were videotaped over the period of a week. The 
videotaped operations were split into 100 subgroups with 4 observations in each 
subgroup. Therefore, the sampling plan for this case scenario (MSFC) was constituted by 
100 samples of size 4, for a total of 400 observations. The random times corresponding to 
the necessary observations for the sampling scheme were generated using a random timer 
connected to a time lapse VCR (GYYR, Model Number TLC3168HD). 

The mode in which this partition of subgroups was accomplished is described as 
follows. The videotaped operations were played back as input into the time lapse VCR. A 
random timer that randomly records a set number of clips of certain duration controls the 
time lapse VCR. The total time of the videotaped operations was split into 100 
subgroups. The random timer was then set to randomly record 4 inspections from each 
subgroup. Each random inspection was approximately 10 seconds long to allow adequate 
time to check for all 21 dendritics. 

On the other hand, the method that the PSMIS uses to achieve the separation of 
subgroups is by requesting the user to specify the number of groups, subgroups and 
observations per subgroup (see Section 3.6.3 for more details). Before setting up the 
sampling scheme, it is critical to keep in mind that the CHTFPM MIS first asks the user 
to develop a preliminary sampling plan (see also Section 3.6.3). In the MSFC project, the 
preliminary sampling scheme was composed of 10 samples (subgroups), which entailed 
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preliminary sampling scheme was composed of 10 samples (subgroups), which entailed 
40 inspections, as seen in Figure 4.13. The preliminary observations are used to establish 
the center line and control limits for the Shewhart charts. 



Figure 4.13: Preliminary sampling plan created by the PSMIS for the MSFC project. 


After this is done, the analyst can proceed to create the actual sampling plan 
which would consist of the remaining 90 subgroups. The preliminary and actual 
subgroups are then merged by the PSMIS in order to obtain the total number of samples 

and to display the complete Pareto diagram and control charts (refer to Sections 3.6.3 and 
3.6.4 for a complete explanation). 

Exactly the same method employed in the MSFC project to establish the division 
of subgroups was utilized in the hoisting operation (KSC) case study: a random timer 
connected to a time lapse VCR (GYYR, Model Number TLC3168HD). In this situation, 
the videotaped operations were split into 18 subgroups with 4 observations each. The 

preliminary sampling plan was composed of 4 samples, which resulted in 16 observations 
as depicted in Figure 4.14. 
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Figure 4.14: Preliminary sampling plan created by the PSMIS for the KSC project. 

4.6 Statistical Significance 

In order for a safety study to have statistical validity, the calculation of the 
number of observations needed, n’ (n prime), to attain statistical significance is 
obligatory, where n ' is determined from the data of the preliminary inspections. For the 
MSFC project, an I’ of 10 %, a confidence level (CL) of 90 %, thus an a’ = 0.10 (10 % 
error), were considered to be appropriate by the analyst. Thus, the computation of p , the 

percent of dendritics present in the preliminary study, is first necessary to determine the 
minimal sample size required (« ) to obtain statistical reliability. 

In the MSFC process, a total of 21 dendritics were recognized, which constituted 

the dendritic list. Additionally, there were 21 dendritic occurrences in the 40 random 

observations of the preliminary sampling study of the videotaped promoted combustion 

chamber testing operations (see Section 4.5), thus substituting into Equation 3.2 yields: 

p Numberqf dendritics^ observed^ in preliminary sampling 21 

(Total P os sMe dendritics per observation) * (Number of observations) = 21*40 = °'° 25 
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To determine whether statistical significance was achieved, the p value is substituted 
into Equation 3.3 which yields: 

. 4 ( z ' a / 2 ) 2 ^(l-.P) 4 *1.645 2 *0.025 *(1- 0.025 'i 

(£') 2 q j 2 ‘ = 26.38 = 27 observations 

This result ts evidence that statistical significance was attained since the actual 
number of random inspections (n - 40) was greater than the number of observations 
needed (n ’ - 27). Once again, these typed equations and calculations are also a true copy 
of the original computations, both for the MSFC and KSC case studies. However, the 
actual error for this study was not calculated by the analyst. The PSMIS performs these 
calculations plus has the advantage of also computing the actual error solving for a in 
Equation 3.3 and substituting n for the actual number of samples taken thus far. Figure 
4.15 shows the values of p (shown as V"), ", n ’, and the actual error (a), among others. 


Statistical Significance 


Project: [MIKEC | [Promoted Combustion Testing Chamber 


Length of Interval: 
Confidence Level: 
Percent Error: 



JL0]% (L') 
90j% (CL) 


10]% (Desired Alpha) 



2.0255 


0.0812 


alpha/2: 0.0217 


Current Observations:! 
Observations Needed: 
Actual Error: 


40 


27 


(n) 

(n') 


4. 34% I (Actual Alpha) 


— — 

Figure 4.15: Statistical significance screen for the MSFC project provided by the PSMIS. 
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Similarly, for the hoisting operation study at KSC, an I 'of 10 %, a CL of 90 %, 

hence an a’ of 10 %, were deemed appropriate by the analyst as well. In addition, 57 

dendritic elements composed the dendritic roster. Further, 12 dendritic occurrences were 

observed in the 16 inspections comprised in the preliminary sampling data set of the 

videotaped operations (view Section 4.5). Replacing into Equation 3.2 gives: 

p = Number^ of dendritics observed^ in preliminary sampling 12 

(Total possible dendritics per observation) * (Number of observations ) 57*16 ^ ^ 

According to Equation 3.3, the number of observations needed to attain statistical 
significance (n ), as calculated by the analysts of the KSC project, is the following: 

_ 4 * 1 .645 2 * 0.013 * (1 - 0.013 ) 

(L') 2 ~ = 14.05 = 15 observations 


In this safety study, the analyst did not calculate the actual error either. Figure 
4.16 depicts the p (shown as “p A ”), n, n ', and the actual error (a) values, among others. 


Statistical Significance 


Project: SENIO 


Senior 


Length of Interval: 
Confidence Level: 
Percent Error: 


10]% (L‘) 
90]% (CL) 


10]% (Desired Alpha) 



Parameters 


2 : 


1.7551 


0,0132] 2’: 1 1.6440 
L 


0.0937 


alpha/2:|0.0401 


Current Observations:! 
Observations Needed: 
Actual Error: 


16 


15 


(n) 

(n 1 ) 


8.01%1 (Actual Alpha) 


Figure 4.16: Statistical significance screen for the KSC project provided by the PSMIS. 
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The PSMIS rounds up to the next integer the number of inspections needed for statistical 
significance. This is done since there cannot be a decimal or fraction of an observation. 

4.7 Establish Control Limits and Control Charts 

Several control chart procedures were introduced in Chapter 3 (Section 3.7). It is 
up to the system analyst to determine which control chart would be most advantageous to 
use. This decision can depend on the system being analyzed, data observed, availability 

of resources, time, system limitations, desired protection from unacceptable risks or 
hazards, desired results, etc. 

Once the minimum amount of inspections to possess statistical impact (n ■) has 
been taken, the evaluator can choose to establish the control limits. Nevertheless, if n ’ has 
not been reached, the analyst can still decide to set up the control boundaries if he or she 
is satisfied with the actual error percentage, which is provided by the CHTFPM MIS (see 
Section 3. 6. 2. 2 for a detailed description). 

The first step in developing the control limits is the choice of a Shewhart or 
attribute chart, hence an applicable probability distribution. In the research of the 
promoted combustion testing operations, the application of the Poisson distribution was 
judged to be a good fit for the process. Therefore, the control charts that have an 
underlying Poisson distribution are the c and u chart. 

As applied to this case study, the c chart was believed to be more suitable to 
represent the safety status of the promoted combustion testing system. The c chart will 
plot the total number of occurring dendritics (defects/nonconformities) per subgroup. In 
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other words, the dendritics within the 4 observations of each subgroup are summed, and 
that value is plotted. As stated before, the preliminary samples consisted of the first 10 
subgroups where 21 dendritics occurred. The c chart parameters were generated by 
inputting the data of the preliminary study in Equations 3.4 through 3.6, as follows: 

m 

S Ci ^ 1 

Center Line = c = — = _ - ? 1 

m 10 (3-4) 

UCL = c+ 3VF = 2.1 + 3V2T = 6.447 p ^ 

LCL = c - 3VF = 2.1 - 3V2d = -2.247 =0 (3 ^ 

Here, n is the total number of subgroups (10 samples of size 4). The collected data, or the 
number of dendritic occurrences, is positive in nature. Therefore, in the event of a 
negative LCL computation, a value of 0 (zero) is assigned. 

It should be noted that c is the process mean or center line which serves to find 
out the control limits: UCL and LCL. The control limits calculated by preliminary 
samples should be regarded as “trial” control limits, and the preliminary samples should 

be examined for lack of control. If there are no out-of-control conditions, then the “trial” 
limits can be adopted for future use. 

That is why the CHTFPM MIS displays the graph of the preliminary sampling 
study, so the user can view if the system or process is stable. Once the end-user verifies 
that the system is in control, the assessor can utilize those control limits for the upcoming 
or future samples. If there are points outside the limits, the causefs) for such outcome(s) 
should be investigated and addressed (please review Section 3.8 for dealing with out-of- 
control points). The fashion in which the PSMIS depicts the values of the control limits is 
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by clicking on the See control limits” button (see Figures 4.15 and 4.16). Then a small 
screen appears where the analyst has to select the Shewhart chart of its preference in 
order to view the respective control limits, as illustrated in Figure 4.17. The c chart for 
the MSFC industrial scenario, constructed from the preliminary data set, is depicted in 
Figure 4.18 showing the values of the control parameters — center line, UCL and LCL. 



Figure 4.17: Screen for selecting the type of Shewhart chart control limits. 


C chart 



Subgroup 


Figure 4.18: Control parameters of the c chart for the MSFC case study. 
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Likewise, the second predictive safety project also employed a Poisson 
distribution since it was considered to be suitable for the hoisting operation and testing of 
the HPGTs. In addition, a c chart was selected as well to provide assistance in depicting 
the safety status and stability of the process. In this case, 12 dendritics were observed in 
the first 16 inspections (4 subgroups of size 4) comprised in the preliminary samples. The 
c chart control limits were established by entering the information of the preliminary 
sampling in Equations 3.4 through 3.6 in the following manner: 


Center Line = 



12 

4 


= 3 


UCL = c+3jc =3 + 371 = 8.196 


UCL = c- 3VE =3-373 =-2.2. \=0 

where n is the total number of subgroups (4 samples with 4 observations each). 


(3.4) 

(3.5) 

(3.6) 


C chart 



Subgroup 


Figure 4.19: Control parameters of the c chart for the KSC case study. 
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Since there cannot be negative dendritics, there cannot be negative control limits 
either. The LCL in this occasion turned out to be a negative number; therefore, the 
correct lower control limit should be 0 (zero). For this case study, the pattern to obtain the 
control limits of the c chart, which are portrayed in Figure 4.19, was the same as the one 
followed m the MSFC project. This also means that the plotted values of every sample 
were obtained by adding the dendritic incidences in each subgroup. 


4.7.1 Control Charts for the MSFC Case Study 

As revealed before, a c chart was employed in the MSFC study to represent the 
safety status of the system under investigation. Figure 4.20 shows the c chart of this 
project, as constructed by the analyst. The values for the entire 100 samples or subgroups 
obtained from the MSFC project collected data are summarized in Appendix D. 



Figure 4.20: MSFC project c chart, as constructed by the analyst. 
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The CHTFPM MIS constructed the same c chart for the complete set of samples 
by just clicking a button. Figure 4.21 illustrates the c chart developed by the PSMIS. 

C chart 


Subgroup — UCL = 6.447 — Center line = 2.1 - - - LCL = 0 



Subgroup 


Figure 4.21 : MSFC project c chart, developed by the PSMIS. 

The distinctions between the two preceding figures are minor. For instance, the PSMIS 
chart starts the subgroup count with the number 1 (one) in the x axis, whereas the chart 
built manually includes the number 0 (zero) in the horizontal axis. It makes more sense to 
start the sample count at 1 since there is no subgroup number 0 (zero). In addition, the 
style of the control limits in the PSMIS chart are represented by dotted lines and then- 
values are displayed along the legend keys, which are located at the top of the figure. 

Additionally, a Pareto diagram can be formulated by the CHTFPM code at any 
moment during the safety study. This can provide an indication about which one of the 
dendritics has the highest frequency of occurrence. Therefore, a more focused attention 
can be better directed to correct those unsafe conditions. The Pareto analysis for this case 
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study is depicted in Figure 4.22, which is was done by the analyst. The dendritics that did 
not occur during the data collection were not included in the Pareto diagram. 
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Figure 4.22: MSFC project Pareto diagram, as constructed by the analyst. 


The Pareto diagram is created by the CHTFPM software program when the user 
specifies that action; Figure 4.23 depicts the Pareto plot, as developed by the CHTFPM 
MIS. Again, there are few dissimilarities between the manually-constructed and the 
PSMIS-developed Pareto diagram like background or bar colors, among others. For 
example, the description of each dendritic is abbreviated or rephrased in the original 
diagram, while the PSMIS copies the exact dendritic name from the dendritic list. One 
similarity, nonetheless, that both Pareto graphs have is that they do not include the 
dendritics that had a frequency or occurrence of 0 (zero). 
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Pareto diagram 
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Figure 4.23: MSFC project Pareto diagram, developed by the PSMIS. 


As described in Chapters 2 and 3, not all dendritics are equally imp acting the 
safety of the system. In situations like this, what is needed is a method to classify 
dendritics according to severity, thus weighting the various types of dendritics in a 
reasonable manner. The method used to weight the dendritics or to assigned demerits to 
them is explained in Sections 2.4 and 3.5. As a result, the dendritics were split into four 
classes. Therefore, the dendritics that could cause more serious damage, either to the 
system or to the individuals, were clustered in the highest hierarchical category, which is 
Class A in this case. The dendritics in the second level of severity were lumped in Class 
B, and so forth. The results of this classification, which correspond to the MSFC case 


study, are shown in Table 4. 1 . 
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Table 4.1: Classification of dendritics for the MSFC project. 




Failure to adhere to 
Standard Operating 
Procedure (SOP) 

Incorrect procedure 
used to don latex gloves 

Leak checks not 
performed after hookup 
or not performed 
correctly 

Full and empty oxygen 
containers stored 
together 

Back bent forward 
while lifting object 

Same surface contact 
(bare hand and latex 
glove) 

Personnel not wearing 
safety shoes in test area 

Test cell used for 
storage 

Arms full extended to 
the front while lifting 

Personnel wearing dirty 
latex gloves 

Oxygen container(s) not 
secured during 
combustion testing 

Personnel limitations 
for test cell exceeded 

Technician not wearing 
safety glasses when 
connecting/disconnectin 
g oxygen bottles 


Containers) moved 
without using hand 
truck 

Valve cap not installed 
when oxygen 
container(s) in use 



Container(s) not 
secured during 
movement 

Oxygen container(s) not 
stored in upright 
position 



Test area not in “limited 
access control” 

Trash and combustibles 
in test area 



Oxygen container 
dragged, slid or rolled 

Oxygen container lifted 
by valve cap 


The CHTFPM MIS categorizes the dendritics into the corresponding groups 
according to the weights that the user assigned to them when creating the dendritic list as 
seen in Figures 4.7 (b) and 4.8 (b). In other words, the dendritics with the same highest 
weight are grouped m class A; the dendritics with the second highest weight are grouped 
into class B, and so on. Even though the PSMIS default weight values are 100, 50, 10 and 
1 for the dendritics of Class A, B, C and D, respectively, a different set of weights 
reasonable for a specific problem may also by used. Moreover, it should be noted that the 
user can change these weights at any time. 

The parameters for the weighted chart are calculated in the following equations 
(Equations 3.17 through 3.20), and the data used in such calculations is summarized in 
Appendix E. Figure 4.24 portrays the weighted chart with its control limits, as constructed 
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by the system evaluator. 


Center Line = u = 100 u A + 50 u B + 10w c +u d 

(3.17) 

Center Line = u = 100(0.1) + 50(0.1) + 10(0.325) + 0 = 18.25 


<J U = [(100) 2 ^ +(50) 2 u s + (10) 2 k c +u D f 2 

(3.20) 

& u = [(lOO) 2 (0.1) + (50) 2 (0.1) + (10) 2 (0.325) + of 2 =35.812 


UCL = u +3& u =18.25 + 3(35.812) = 125.686 

(3.18) 

LCL = u-3a u =1 8.25 - 3(35.8 12) = -89. 1 86 .*. = 0 

(3.19) 



Figure 4.24: MSFC project weighted chart, as constructed by the analyst. 

The PSMIS performs all of the previous computations automatically to find out the 
control limits for the weighted chart and depicts their values on the graph, as observed in 
Figure 4.25. Additionally, all the control charts produced by the CHTFPM MIS are 


consistent in their fo rmat , 
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Weighted chart 



Subgroup 


Figure 4.25: MSFC project weighted chart, developed by the PSMIS. 

As mentioned previously in Section 3.7.5, the EWMA control chart is a good 
alternative to the Shewhart control chart when small shifts in the safety mean, in the order 
of 1.5 ct or less, need to be detected. The first step in setting up an EWMA control chart is 
determining the parameters L and A. Using Table 3.2 in Chapter 3, the elected parameters 
L and A were 3.054 and 0.4, respectively. These values were chosen to detect a shift in 
the safety mean of 1.00 with an ARL 0 of 500 and the ARL! for an out of control system 

of 14.3 (it will take at least 15 samples to detect the shift with a point outside of the 
control limits). 

The center line for the EWMA chart is also the same as the one from the selected 
Shewhart chart, which is the c chart in this case. Utilizing Equations 3.23 up to 3.26, the 
plotted points and control boundaries were obtained, respectively. The resulting EWMA 
control chart, as constructed by the analyst, is represented in Figure 4.26 (Appendix F 
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encapsulates the data used to construct this chart), while Figure 4.27 shows the EWMA 
generated by the PSMIS. 



Figure 4.26: MSFC project EWMA chart ( L = 3.054 and X = 0.4), as constructed by the 
analyst. 


EWMA chart 
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Figure 4.27: MSFC project EWMA chart (L = 3.054 and X = 0.4), developed bv the 
PSMIS. v y 
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In both EWMA charts, the control limits are not shown for the reason that they are not 
constant; that is, each sample has its own set of control limits. However, the control 

limits, both the UCL and LCL, tend to reach steady-state as the subgroup number 
increases. 

In addition, a second EWMA control chart was plotted to demonstrate the 
different levels of sensitivity that can be attained using this control chart. Suppose the 
same ARL 0 and shift in the safety mean as above are desired but the shift in the safety 
mean needs to be detected quicker, say in 10 samples. Using Table 3.2 from Chapter 3, 
the values for the parameters X and L were 0.10 and 2.814, accordingly. Equations 3.23 
through 3.26 equations were also used to construct this EWMA chart along with the data 

provided in Appendix G. Figure 4.28 portrays the resultant EWMA chart, as created by 
the analyst. 



Figure 4.28: MSFC project EWMA chart (I = 2.814 and A = 0.1), as constructed by the 
analyst. 




35 


The associated pair of the second EWMA control chart, which was developed using the 
PSMIS, is shown in Figure 4.29 below. 



Figure 4.29: MSFC project EWMA chart (L = 2.814 and Z = 0.1), developed by the 


A good way to further improve the sensitivity of the control procedure to large 
shifts without sacrificing the ability to detect small shifts quickly is to combine a 
Shewhart and EWMA chart. These combined control procedures are effective against 
both large and small shifts. For example, plotting Figures 4.20 and 4.28 on the same 
graph gives the combined Shewhart-EWMA control chart, which is illustrated in Figure 
4.30. It should be recalled that the analyst had to do this combination manually (by 
manipulating the data) as all the other control charts and calculations shown earlier in this 
chapter. On the other hand, the PSMIS performed this combination automatically; Figure 
4.31 displays the combined Shewhart-EWMA chart given by the PSMIS. 
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Figure 4.30: MSFC project combined Shewhart-EWMA chart (I = 2.814 and X = 0 1) 
as constructed by the analyst. ’ 


Combin ed Shewhart - EWMA chart 
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Subgroup 


Figure 4.31: MSFC project combined Shewhart-EWMA chart CL = 2.814 and X = 0 l) 
developed by the PSMIS. 
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4.7.2 Control Charts for the KSC Case Study 

The KSC case study also used a c chart as the basis for predictive safety; 
therefore, the same procedure pertaining to the MSFC project was follow in order to 
obtain the results sought. Nonetheless, it is important to point out that for the testing, 
preparation and hoisting operation of the HPGTs the analyst just created two control 
charts, the c chart and the weighted chart, as well as the Pareto diagram. Consequently, 
these two charts were the only ones developed by the CHTFPM MIS in conjunction with 
the Pareto plot. The data used to build the c chart for the KSC study is enclosed in 
Appendix L, and the complete c chart elaborated by the analyst is depicted in Figure 4.32. 



The corresponding reproduction by the PSMIS of the above c control chart is portrayed in 
Figure 4.33. 




Subgroup value 
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C chart 
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Figure 4.33: KSC project c chart, developed by the PSMIS. 

A Pareto diagram was also built for this case scenario by the analyst and is 
represented in Figure 4.34. 
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Figure 4.34: KSC project Pareto diagram, as constructed by the analyst. 
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Figure 4.35, as produced by the CHTFPM software package, displays the duplicate of the 
manual Pareto diagram, 


Pareto diagram 
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attention while 
operating a 
hoist 

Dendritics 


Figure 4.35: KSC project Pareto diagram, developed by the PSMIS. 


Since not all the dendritic elements have the same weight or are equally severe, a 
weighted chart can provide a means of knowing if the process or system is becoming 
hazardous due to the committed dendritics. For this project, the pursued technique to 
categorize the dendritics into classes was the same as the one employed in the MSFC 
case study. This denotes that there were four dendritic categories in this case. Appendix 
K describes the arrangement of the dendritics into classes or groups for the KSC safety 
project. The equations used to calculate the parameters for the weighted chart pertaining 
to this project were also Equations 3.17 through 3.20. 

Center Line = u = lOOif, + 50 m* + 10z7 c + u D 


(3.17) 
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Center Line = u = 100(0.625) + 50(0) + 10(0.6875) + 0 = 13.125 


& u = [(100) 2 ^ +(50 ) 2 u b +(10 ) 2 u c +u d Y 2 

<t u = [(lOO) 2 (0.625) + (5 0) 2 (0) + (lO) 2 (0.6875) + of 2 = 26.339 
UCL = u + 3& u = 13.125 + 3(26.339) = 92.142 


LCL-u 3a u -13.125-3(26.339) = — 65. 892.\ = 0 (3.19) 

Appendix M contains the data employed in the preceding computations and Figure 4.36 
shows the weighted chart for the KSC industrial scenario, as formulated by the analyst. 



Figure 4.36: KSC project weighted chart, as constructed by the analyst. 


The CHTFPM MIS performs the necessary calculations to determine the weighted chart 
control limits and displays their values on the figure next to the corresponding legend 
keys. Figure 4.37 illustrates the weighted chart as constructed by the PSMIS. 
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Weighted chart 



1 Subgroup 

Figure 4.37: KSC project weighted chart, developed by the PSMIS. 

As elucidated throughout this chapter, the control charts were made manu a ll y by 
the respective analysts by performing the necessary calculations and control charts in 
Microsoft Excel. However, they had to indicate to the software application what to do 
and how to do it. That is, they had to manipulate and handle the data themselves, instead 
of the program doing it for them, as is explained in the next section. 

4.8 Reliability and Efficiency of the PSMIS 

To determine the reliability of the computer program, the CHTFPM MIS had to 
be tested using the two previously described predictive safety studies, which had been 
validated, therefore, such results are correct. This comparison was done to show that the 
results calculated by hand were exactly the same as those obtained with the PS MIS The 
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exhaustive and methodical evidence shown in Section 4.7 clearly confirms that the 

outcomes given by the CHTFPM software system are true and accurate, ensuing in a 
thorough reliability of the program. 

As far as the effectiveness is concerned, the CHTFPM MIS was rated in terms of 
the time and manpower required to complete the two safety studies. In order to explain 
this subject, it is vital to understand how the projects under consideration were 
accomplished manually. First, the analysts of the two case scenarios had to create the 
forms of the PHA, FMEA and barrier analysis. This can be done in Microsoft Word or 
Excel. Second, after defining the dendritic list, they had to develop and print sampling 
sheets to conduct the observations at the site of investigation. This also can be achieved 
in Microsoft Word or Excel. Third, the sampling plan had to be formulated. This can be 
done m Microsoft Excel, which can generate random times, or by any other method; in 
both case studies, the random sampling plan was performed using the time lapse VCR 
and the random timer. 

Fourth, the sampling sheets had to also be created in Excel in order to enter and 
count the number of dendritics observed. Then the necessary arithmetic operations to 
determine the subgroup values had to be input into the software application. This implies 
specifying which cells have to be added, multiplied, divided, etc. Furthermore, the 
equations for calculating the control chart parameters — center line, LCL, UCL, & 

etc. had to be input into the software application. After that, the analysts also had to 

manipulate the data and specify to the computer program which values to plot and how to 
plot them. 
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This manual process is time consuming and prone to error, especially at the time 
of entering the control chart equations. In addition, this type of analysis can take days or 
even weeks just to set up. After having an idea about the amount of work required to 
complete a project as the ones described in this chapter, it will be easier to understand the 
effectiveness or efficiency of the PSMIS. 

The efficiency of the two case scenarios was determined by taking into account 
the factors of effort and time required to complete the project. The effort element or 
manpower is represented by the number of persons {NP) involved in the achievement of 
the investigation, and the time factor is represented by the average number of hours per 
person {ANHPP) spent to conclude the study. These two constituents provide the total 
number of hours {TNH) used up in the completion of the safety project which can be 
expressed as the following formula: 

TNH = {ANHPP) {NP) (4 1} 

The efficiency {E) of the PSMIS is computed by Equation 4.2 below: 

E = l { VWkmis " 

™H MaauaUy ) (4-2) 

The formula expressed above implies that it is first obligatory to compute both the 
TNHpsmis and the TNH Manually- The TNHpsmis corresponds to the hours it took to complete 
the project usmg the PSMIS. TNH Mam aiiy stands for the hours invested in the completion 
of the study when it was done manually or without the aid of the CHTFPM MIS. If the 
TNHpsmis is less than the TNHManuaiiy, then a positive efficiency exists. 
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In fact, the efficiency can be negative. For example, if the TNHpsmis is greater 
than the TNH Manually, the ratio of these two values as illustrated in Equation 4.2 will be 
higher than 1 (one). This will ensue in a negative efficiency, which signifies that there is 
no improvement or advantage in using the PSMIS because it took more time to realize 
the whole analysis with the CHTFPM MIS than without it (manually). 

The efficiency can also be 0 (zero) if both the TNH PSM is and the TNH ManuaUy are 
the same. If this is the case, the ratio of these two components will give a value of 1 
(one); therefore, in the efficiency equation the result will be: 1 - 1 = 0. The rationale in 
this circumstance is that no benefit is gained or lost by using the CHTFPM MIS because 
it takes the same time to carry out the safety experiment with or without the use of the 
PSMIS. 

4.8.1 Efficiency of the PSMIS in the MSFC Case Study 

To complete the MSFC project, it took 3 persons who were working 10 hours per 
week for 3 months. The amount of time employed in watching the videotaped operations 
in order to perform the PHA, FMEA and barrier analysis was not included for the 
calculation of the efficiency. The reason for this is because that time would also have to 
be spent when using the PSMIS. Otherwise, it would not be possible to develop the three 
previous analyses, thus the dendritic list, since the analyst would not have sufficient 
knowledge about the system or process. Therefore, the hours that count as part of the 
study are those between the initial moment when the analyst started doing the PHA and 
when the final control chart was completed. Additionally, the time it took to collect the 
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data with the sampling sheets is not part of the number of hours necessary to conclude the 
study because this is also mandatory when utilizing the PSMIS. 

Based on the justification previously presented, it was estimated that 2 weeks 
were consumed to gain valuable insight about the system or process of the promoted 
combustion testing operations. Therefore, those 2 weeks were not counted toward the 
efficiency. Assuming there are 4 weeks in each month, the total number of weeks in a 
period of 3 months is 12. However, due to the 2 weeks utilized in becoming familiar with 
the system in order to recognize any anomalies, the actual number of weeks that were 
spent to fulfill the project becomes 10. Multiplying the actual number of weeks times the 
number of worked hours in every week by an individual (10 hours) gives a total of 100 
hours. This denotes that each person involved in this case study put in 100 hours of work 
during the course of three months. Consequently, the ANHPP Manually is computed as given 
below. 


ANHPP = (100 + 100 + 100) hours _ 100 hours 

Manually 3 p erSOns perSOtl 

So, replacing this average into Equation 4.1 gives the following: 


TNH 


Manually {ANHPP UanuaUy ^{^P Manually ) — (3 pSVSOTlS ) — 300 hoUVS 

\ person ) 


Likewise, the TNHpsmis can be found. When the PSMIS was utilized in the MSFC 
predictive safety study, it was done by 1 (one) individual who finished the project in 3 
hours. So, the TNHpsmis is computed in the following fashion: 


ANHPP PSMIS 


3 hours _ 3 hours 
1 person person 
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TNH PSMIS — ( ANHPP PSMIS )(NP psmis ) - 


( 


3 hours 


\ 


(1 person ) = 3 hours 


^ person J 

Therefore, by substituting the TNH Manually and TNH PSMIS values into Equation 4.2 yields: 


E = 1- 


TNH 


PSMIS 


TNH 


Manually J 


r 


= 1 - 


3 hours 
300 hours 


= 0.99 = 99% 


Table 4.2 encapsulates the MSFC data of the time and manpower required to conclude 
the project manually versus with the PSMIS. 


Table 4.2: Summary of the efficiency elements for the MSFC project. 


BRl 

SlB&SlSB 


Avg. hours worked per person 
(ANHPP) 

100 

3 

Persons involved in project 

( m_ 

3 

1 

Total hours to complete project 
(TNH) 

300 

3 

Efficiency of the PSMIS 

(E) , 

99% 


4.8.2 Efficiency of the PSMIS in the KSC Case Study 

For the KSC case study, 3 people participated in the project for 3 months, and 
each individual worked 10 hours per week. The same rationale explained for the MSFC 
industrial scenario in the previous section was also suitable and appropriate for the KSC 
operations. The only hours that were considered toward the efficiency computation were 
those spent in typing in all the project information into the PSMIS. Therefore, the time of 
watching the videotaped operations to perform the PHA, FMEA and barrier analysis and 
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the time to manually record the dendritic occurrences in the sampling sheets were not 
included in the calculations. Consequently, the time to become familiar with the process 
in order to identify potential hazards was estimated to be 2 weeks as well. 

Additionally, the same assumption for the MSFC project, stating that each month 
has 4 weeks, was made in the KSC case study. Hence, the weeks encompassed in the 3- 
months duration of the project are 12, but because of the 2 weeks spent in becoming 
familiar with the process to recognize the dendritics, the actual number of weeks 
considered in the calculations is 10. The full amount of hours that each analyst worked is 
found by multiplying the actual number of weeks and the number of hours that he or she 
w'orked in every week (10 hours); this equals to a total of 100 hours. Since 3 persons 
contributed to the realization of the KSC project, the ANHPP Manual yields the following: 


ANHPP Mtmmlly 


(100 + 100 + 100) hour^ 
3 persons 


100 hours 
person 


By substituting this number into Equation 4.1, it results in: 


Manually ( ANHPP y XNP Umly ) = 


100 hours 
persons ) 


(3 persons ) = 300 hours 


Likewise, the TNHpsmis can be obtained. When the PSMIS was employed, the 
KSC safety study was completed in 4 hours by 1 (one) person. Thus, the TNH PSM is is 
calculated in the following manner: 

ANHPP „ m = - 4 hours = 4 hours 
1 person person 


tnh psmis (ANHPP PSMIS )(NP psmis ) - 


r 4 hours ^ 
v person ) 


(1 person ) = 4 hours 
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Therefore, by replacing the TNH ManuaUy and TNH PSM is values into Equation 4.2 yields as 
follows: 


E = 1- 


TNH 


PSMIS 


y mH Manually J 


r A hours ^ 
^300 hours y 


= 0.9867 = 98.67 % 


Table 4.3 recapitulates the KSC information of the time and manpower required to 
terminate the project manually and with the aid of the PSMIS. 


Table 4.3: Summary of the efficiency elements for the KSC project. 
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Chapter 5 


5. CONCLUSIONS AND RECOMMENDATIONS 

After implementing and evaluating the PSMIS, some deductions can be drawn as 
well as some suggestions for future research. This chapter provides the conclusions and 
recommendations pertaining to the research done and described in this project about the 
development of a predictive safety management information system (PSMIS). This 
management information system (MIS) comprises the theory of the Continuous Hazard 
Tracking Failure Prediction Methodology (CHTFPM). 

5.1 Introduction 

The overview of this chapter is defined in this passage. Section 5.2 supplies a 
summary of the work performed. In Section 5.3, the conclusions about the results of this 
study are exposed while Section 5.4 discusses the potential implementation problems 
with the PSMIS. To finish, Section 5.5 presents the recommendations for future studies 
with the CHTFPM MIS/PSMIS. 

5.2 Summary of Work Performed 

The existing accident prevention models — like the ones revealed in Section 
2.5.1 — are either reactive or proactive in nature; however, not all of them are available in 
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a software application. The CHTFPM is a preventative safety model that is proactive, and 
it has been incorporated into a software package. By proactive, it is meant that corrective 
action is taken before the fact, instead of after the fact, in order to prevent an accident or 
system malfunction before occurring. To perform safety in a proactive manner, the 
CHTFPM combines the principles of safety sampling and control charts. Therefore, the 
CHTFPM MIS have these two previous concepts integrated, so that the safety status of a 
given system or process can be known. Besides the PSMIS, there are some predictive 
safety models that are proactive and exist in the form of a software system (refer to 
Section 2.6.2. 1 and 2. 6. 2. 2). Nonetheless, the disadvantage of these computer programs is 
that they are only applicable to specific sites or scenarios; whereas the CHTFPM MIS is 
robust, meaning that it is suitable for many locations, circumstances and studies. 

In order to facilitate the application of the PSMIS and at the same time provide 
proof of the reliability and efficiency of the software, two previously validated case 
studies were selected. These two predictive safety projects were the following: 

1. Promoted combustion testing operations at the Material and Combustion Research 
Facility at Marshall Space Flight Center (MSFC). 

2. Testing, preparation and hoisting operation of four high-pressure gas tanks 
(HPGTs) at the Operations and Check-Out Building at Kennedy Space Center 
(KSC). 

The two studies depicted above were chosen for the implementation of the CHTFPM 
MIS. This signifies that all the information encompassed in both projects was input into 
the PSMIS to verify if the results given by the software were the same as those obtained 
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by hand. By doing so, the confidence in the results of the CHTFPM code could be 
determined as well as the time necessary to complete the projects when the CHTFPM 
MIS was used relative to when it was not used. This provided the implementation and 
evaluation of the PSMIS. 

5.3 Conclusions 

The implementation and evaluation of the CHTFPM MIS on both case studies 
revealed the following inferences: 

• For the MSFC case study, the results presented by the PSMIS for each control 
chart— c, weighted, EWMA (1=3.054, 1=0.4 and L= 2.814, 1=0.1) and combined 
Shewhart-EWMA chart — are exactly the same as the ones attained manually. 

• For the MSFC case study, the Pareto diagram produced by the PSMIS is identical to 
the one elaborated by the analyst. 

• For the KSC case study, the results presented by the PSMIS for each control 
chart — c and weighted chart — match those obtained by hand. 

• For the KSC case study, the Pareto diagram fabricated by the PSMIS is equal to the 
one constructed by the analyst. 

• The PSMIS outcomes shown in Section 4.7 are evidence which undoubtedly 
supports that the CHTFPM software system is reliable and accurate. 

• In the MSFC project, 3 persons were required to finish off the research manually 
resulting in 300 total number of hours (TNH ManuaU y) spent. 
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• In the MSFC project, 1 person completed the study in 3 hours ( TNH PSM is = 3) using 
the PSMIS. 

• In the MSFC project, there was a significant improvement in utilizing the CHTFPM 
MIS versus doing the project manually, for the efficiency of the PSMIS was 99 %. 

• In the KSC case study, it took 3 persons to conclude the research study for a total 
number of hours ( TNH Manually ) of 300. 

• In the KSC case study, 1 person finalized the project in 4 hours ( TNH PS mis = 4). 

• In the KSC case study, there was a significant improvement in utilizing the 
CHTFPM MIS versus doing the research manually, for the efficiency of the PSMIS 
was 98.67 %. 

5.4 Potential Implementation Problems 

The possible problems that could be faced when implementing or applying the 
PSMIS are mainly related to collecting and, consequently, entering the data into the 
CHTFPM MIS. This is true because the management of data, especially the calculations, 
is handled by the computer program and not by the analyst. So, the program cannot give 
incorrect results unless the user makes a mistake. For instance, when constructing a 
Pareto diagram by manual means, the analyst can accidentally interchange the names of 
the dendritics at the moment of assigning them to their respective frequencies (bars). This 
would lead to wrong results and erroneous conclusions. Some of these potential problems 
are described in the following list of points: 
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• The accuracy of the responses given by the PSMIS depends on the precision with 
which the dendritic occurrences are entered. At the time of inputting such 
information, the analyst can indicate by mistake that a certain dendritic occurred 
when in reality it did not. This would give a variation in the plotted value of the 
selected control chart or in the frequency of that dendritic in the Pareto diagram. 

• When entering the number of dendritics observed into the PSMIS screens— which 
correspond to a certain observation number — where the dendritic incidences are 
typed in, the user can accidentally skip one or more observation numbers (screens). 

• If an inspection screen was not filled out on purpose because no dendritics occurred 
in that observation, the CHTFPM MIS will assume that such observation was not 
conducted and will not be considered for any associated calculations, such as 
sample size, control limits, plotted subgroup value, etc (review Section 3.8.2 to 
avoid this kind of problem). 

• The analyst can forget to conduct an observation to check for the presence of 
dendritics in the system or can forget to input the dendritic occurrences into the 
CHTFPM system. Therefore, such observation number will be left in blank and will 
affect that particular subgroup size (refer to Section 3.8.2 to rectify this type of 
problem). 

• If an inspection number is skipped in the PSMIS due to any of the reasons cited in 
this section, or for some other reason, it implies that not all the subgroups have the 
same sample size. As a consequence, the CHTFPM MIS will try to graph a u chart 
by default, at the time of specifying which type of control chart to view, since this is 
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the only attribute chart that does not carry the restriction of equal sample size. The 
computer program, however, will display a waming/message before plotting the u 
chart (read Section 3.8.2 to leam how to correct this problem). 

5.5 Future Research Recommendations 

The goal of this research has been to devise a predictive safety software to control 
conditions leading to hazards from a proactive, instead of a reactive, standpoint. The 
CHTFPM MIS can be used as a starting point for future research to enhance the 
effectiveness of proactive safety projects. The recommendations for areas of future 
research include the following: 

• Add to the PSMIS a multivariate EWMA (MEWMA) which can demonstrate a 
situation in which simultaneous monitoring and control of two or more related 
quality characteristics (variables) is necessary. 

• Incorporate into the CHTFPM code the capability to perform a discriminant 
analysis to check the adequacy of the control charts and to generate an equation that 
could be utilized for prediction of system safety. 

• Test and implement the PSMIS beta version (first edition) in other NASA facilities 
where the collection of data would be carried out in a real-time basis, hence in live 
industrial scenarios. This would serve to further validate the PSMIS (based on user 
input) and improve the usability of the CHTFPM MIS. 
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Glossary 


ARL: Average Run Length, the expected number of sampling stages before an out-of- 
control condition is raised. 

Barrier Analysis: Examines any root cause of a given problem or unwanted event by 
assessing the adequacy of any installed barriers, like safeguards, that can prevent an 
accident or system failure. 

Binomial Distribution: It is used frequently in statistical process control. It is the 
appropriate probability model for sampling from an infinitely large population, where 
the fraction of defective or nonconforming items in the population or sample are of 
interest. 

BSI: British Standards Institution, group of complementary business — all working to the 
same vision of supporting business improvement and trade worldwide. 

CHTFPM: Continuous Hazard Tracking and Failure Prediction Methodology, a 
proactive predictive safety model that aids in preventing accidents and system 
failures. 

CHTFPM MIS: See PSMIS. 

Center Line: Process mean obtained based on the selected attribute or Shewhart control 
chart. 

Confidence Interval: An interval of plausible values for the parameter being estimated. 

Confidence Level: Degree of plausibility or chance that a confidence interval has of 


including the universe. 
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Control Chart: A simple graphical device for knowing, at a given instance of time, 
whether or not a process is under control. 

Demerit Scheme: Method of assigning demerits or weights to dendritics or problems 
according to their severity. 

Dendritics: Building blocks of hazards or conditions in a given system that are becoming 
hazardous. 

DSS: Decision Support System, a safety computer system designed to assist construction 
engineers in monitoring and controlling the excavation conditions that could become 
hazardous in construction sites. 

F3MEA: Failure Mode and Effect Analysis, is a bottom-up hazard analysis procedure of 
identifying the failure modes of a system and determining the effects on the next 
higher level. 

Frequency: The tally or count of only the number of observations associated with each 
object or item (dendritic, problem, individual, etc.) 

Hazard: The potential for an activity, condition, or circumstance to produce harmful 
effects. 

Hazard Analysis: The process of identifying, anticipating and controlling hazards. 

HSE: Health and Safety Executive, responsible for the regulation of almost all the risks 
to health and safety arising from work activity in Great Britain. 

LCL: Lower Control Limit, delineates the bottom safety boundary in a control chart for a 


given system or process. 
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MADYMO: Mathematical simulation models that can predict type of injuries in a certain 
car accident configuration before the system (human) is exposed to ha rm f ill 
circumstances. 

Mean: The sum of values in a distribution divided by the number of values. It is one of 
the most common measures of central tendency. 

MIS: Management Information System , computer application that is capable of 
organizing, storing and retrieving information. 

Normal Distribution: A bell shaped distribution which describes most of the naturally 
occurring phenomena. A normal distribution is identified by the mean and standard 
deviation. 

OSHA: Occupational Safety and Health Administration, an organization within the 
Department of Labor, with a mission to ensure that every employer provides safe and 
healthful conditions to every working man and woman. 

Parameter: A constant or coefficient of a universe that describes some characteristic of 
its distribution. 

Pareto Analysis: A technique for prioritizing types or sources of problems by separating 
the major causes from the minor causes of a problem (dendritics). This allows for a 
focus on problems that offer the greatest potential for process improvement by using 
a Pareto chart of diagram. 

Pareto Chart: Also known as Pareto diagram. It is a bar graph that represents the 


frequencies of dendritics or problems. 
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Percent Error: Desired or specified a, this is the probability of data falling outside the 
confidence level. 

PHA: Preliminary Hazard Analysis, is a system safety analysis tool which identifies 
critical safety areas, evaluates hazards, and identifies the safety design criteria to be 
used in order to eliminate or reduce the risk. 

Poisson Distribution: It is a typical application in statistical process control. It is a 
model of the number of defects or nonconformities that occur in a unit or product. In 
fact, any random phenomenon that occurs on a per unit (or per unit area, per unit 
volume, per unit time, etc.) basis is often well approximated by the Poisson 
distribution. 

Population: See universe. 

Probability: The proportion of an object or thing (dendritic, problem, etc.) in a given 
class, group, collection or set or data. 

PSMIS: Predictive Safety Management Information System, software package that 
incorporates the theory of the CHTFPM and performs data handling, data 
manipulation as well as calculations automatically. 

Random: An intuitive concept referring to a condition that happens unpredictably and 
without any apparent pattern or reason. Equal chance of probability of occurrence for 
each member of a group. 

Risk: A measure of both the likelihood and consequences of all hazards of an activity or 
condition. It is the chance of injury, damage or loss. 
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Risk Analysis: Method of applying qualitative and quantitative techniques to measure 
potential risk in terms of frequency and severity rate. 

Safety: Is the state of being relatively free from harm, danger, injury or damage. 

Safety Engineering: Is the application of engineering principles to the recognition and 
control or hazards. 

Safety Sampling: A proactive approach for accident and system failure prevention by 
monitoring the occurrence of dendritics in order to determine if a system is operating 
within the specified control limits. 

Sample: Portion or subset of objects or items from a larger set called universe. 

Sampling: The activity or picking a sample from a universe to draw inferences about the 
universe. 

Significance: Means that a result differs from or exceeds some hypothetical value by 
more than it can reasonably be attributed to the chance errors of sampling. 

Standard Deviation: The measure of the dispersion of the observed values about their 
mean. 

UCL: Upper Control Limit, delineates the top safety boundary in a control chart for a 
given system or process. 

Universe: The set of all individuals or objects of a particular type. 
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Hazardous 

Condition 


Expired calibration 
(gauge, transducer, 
etc.) 


Hazard 

Cause 


Human error 
(scheduling) 


Hazard 

Effect 


Loss of confidence 
in component 
indication 


Safety/Engineering 
Requirements 


Meet minimum calibration 
requirements as specified by 
manufacturer 


Hazard Elimination/ 
Control Provisions 


Calibration schedule 
reviews and audits 


Component missing 
part #, hydrostat 
information, 
manufacturer 
information, or 
specifications (hose, 
valve, etc.) 


Workmanship 


Unable to identify 
critical component 
characteristics 


All hoses and valves must 
maintain required id and 
equipment specifications 
readily viewable 


Periodic 

walkthrough/inspection, 
attach new tags with 
necessary information 


Component id 
information covered 
by paint (hose, 
valve, manifold, 
etc.) 


Workmanship 


Unable to identify 
critical component 
characteristics 


All hoses and valves must 
maintain required id and 
equipment specifications 
readily viewable 


Periodic 

walkthrough/inspection, 
remove paint from id tags 


Maintenance 

performed 

incorrectly 


Implementation of 
newly designed 
equipment/system 


Equipment operator 
incorrectly operating 
equipment 


Workmanship 


Design 

deficiency 


Inoperative 
equipment or 
deficient system 
operation 

Inoperative 
equipment or 
deficient system 
operation 


Maintenance conducted 
according to NASA 
regulations 


Design of systems to meet 
applicable NASA operational 
and safety requirements 


Properly trained 
maintenance technicians 
with sufficient oversight 
from maintenance 

supervisors 

Engineering review of all 
new design projects to 
ensure compliance and 
operational integrity 


Human error 


Personnel risk, 
equipment damage, 
delay in operations 


Design of equipment to be 
user friendly and operator 
foolproof 


Equipment operator use 
SOPs posted at equipment 
being operated 






























APPENDIX B 


Failure Mode and Effect Analysis for the MSFC Project 



Performs 
calibration of 

jy. , A Calibration assi 9 ned 
N/A Technician equipment 
(gauges, 
transducers, 
etc) 


A. Fails to calibrate equipment 
by due date 

B. Scheduling 

D. Inspection of calibration 
records, visible discrepancy in 
equipment, etc... 

E. Calibrate 

F. Varying 

G. Yet to be determined 


N . A Lubrication ™ ors ' 

N,A Technician othe [.P arts 
needing 

lubrication 


A. Fails to lubricate 

B. Scheduling, negligence / 
Lubricates all oversight 

rotors, rings and D. Inspection of maintenance 
other parts records, visible discrepancy in 

needing equipment, etc... 

lubrication E. Lubricate 

F. Varying 

G. Yet to be determined 


Post-Test 
N/A System 
Operator 


Possible effects 
include minor to 
severe personnel 
risks, system 
component failure, 
system failure 


□ Loss of 

confidence in 
equipment 
indication / 
operation 

□ Possible failure 

cause in function / 
use / operation of 
equipment or 
system 

□ Possible factor 
in equipment 
downtime and / or 
life expectancy 


□ Possible failure 
cause in function / 
use / operation 

□ Possible factor P oss ^ e effects 
in equipment include minor to 
downtime and / or severe personnel 
life expectancy nsks> s y stem 


□ Loss of 
confidence in 
equipment 
indication / 
operation 


- component failure, 
system failure 


A. Fails to properly shutdown, 
inspect, clean-up equipment 
and/or its components 

Equipment B. Human error / oversight 

shutdown D. Operational problem / failure 

inspection, safety infringement recognition / 

clean-up and discrepancy 

similar post- E. Increase adherence to post- 

operational test procedures guidelines 

tasks and/or checklists, enlarged focus 

on safety standards, etc. 

F. Varying 

G. Yet to be determined 


□ Possibility of 
multiple effects 
ranging from 
minor to major 
equipment failure 
/ hazard and / or 
component failure 
/ hazard 


Possible effects 
include minor to 
severe personnel 
risks, system 
component failure, 
system failure 
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; 

- 1 ■' :.V ; 

- ^ , V -V ,*v 

, ■ 

||l| 

1 

N/A 

Sample 
Technician / 
Handler 

Prepares, loads, 
unloads and / or 
handles test 
samples 

A. Fails to properly prepare, 
load, unload and / or handle test 
samples as well as tabulating 
sample information 

B. Possible causes include 
human error / oversight, 
chemical impotency, mechanical 
malfunction of parts related to 
loading / unloading of samples, 
measurement of sample 
properties and so on 

D. Notable abnormality of 
sample or sample handling, 
discrepancy in sample data 
sheets, improper sample 
situation in chamber 

E. Prepare sample again or 
acquire new sample, re-load 
sample, improved adherence to 
procedural guidelines in sample 
preparation, loading and 
handling 

F. Varying 

G. Yet to be determined 

□ Possibility of 
multiple effects 
ranging from 
minor to major 
equipment failure 
/ hazard and / or 
component failure 
/ hazard 

Possible effects 
include personnel 
risks, system 
component failure, 
system failure, test 
biasing and sample 
corruption 

3 

N/A 

Maintenance 

Technician 

Performs 
corrective and / 
or predictive 
maintenance 

A. Incorrectly performs 
maintenance 

B. Workmanship 

D. Inspection of maintenance 
records, visible discrepancy in 
equipment, etc. 

E. Perform the maintenance 
tasks 

F. Varying 

G. Yet to be determined 

□ Loss of 
confidence in 
equipment 
indication / 
operation 

Possible effects 
include minor to 
severe personnel 
risks, system 
component failure, 
system failure 

3 




A. Improper function / use / 
connection of electrical 
apparatus and electronic 
components 

□ Loss of 
confidence in 
equipment 
indication / 
operation 

Possible effects 


N/A 

Electrical 

System 

Components 

Electrical 

connections, 

components 

B. Various 

D. Visual or functional 
discrepancy of equipment and / 
or its components 

E. Repair or replacement of 

□ Possible failure 
cause in function / 
use / operation of 
equipment or 
system 

include minor to 
severe personnel 
risks, system 
component failure, 
system failure 

3 




faulty part / apparatus 

F. Varying 

G. Yet to be determined 

□ Possible factor 
in equipment 
downtime and / or 
life expectancy 
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N/A 


Mechanical 

System 

Components 


Seals, valves, 
plugs, insulation 
and other 
functionally 
similar 
components 


A. Improper function / use / 
’connection of components 
mentioned at left 

B. Various 

D. Visual or functional 
discrepancy of equipment and / 
or its components 

Repair or replacement of 
[faulty part / apparatus 

F. Varying 

G. Yet to be determined 


N/A 


N/A 


Mechanical 

System 

Components 


Electrical 

System 

Components 


Knobs, buttons, 
switches, 
gauges, and 
other 

functionally 

similar 

components 


ViewDac and 
other computer 
devices 


r l ' i'll * 


s»# 


□ Loss of 
confidence in 
equipment 
indication / 
operation 


. ; r ■ 


A. Improper function / use / 
connection of components 
mentioned at left 

B. Various 

D. Visual or functional 
discrepancy of equipment and / 
! or its components 

E. Repair or replacement of 
| faulty part / apparatus 

F. Varying 

G. Yet to be determined 


A, Improper function / use / of 
computer applications, 
malfunctioning components, 
both software and hardware 

B. Various 

D. Inoperable or malfunctioning 
system related to a computer 
application, malfunctioning 
computer exercise or package 

E. If unqualified, contact more 
suitable technician; if ViewDac, 
contact manufacturer 

Varying 
G. Yet to be determined 


□ Possible failure 
cause in function / 
use / operation of 
equipment or 
system 


□ Possible factor 
in equipment 
downtime and / or 
life expectancy 


□ Loss of 
confidence in 
equipment 
indication / 
operation 


□ Possible failure 
cause in function / 
use / operation of 
equipment or 
system 


□ Possible factor 
in equipment 
downtime and / or 
life expectancy 


□ Loss of system 
monitoring, 
control and / or 
applications 



Possible effects 
include minor to 
severe personnel 
risks, system 
component failure, 
system failure 


Possible effects 
include minor to 
severe personnel 
risks, system 
component failure, 
system failure 


Possible effects 
include minor to 
severe personnel 
risks, system 
component failure, 
system failure 


N/A 


Mechanical 

System 

Components 


Compressors, 
lift plates and 
other 

functionally 

similar 

components 


A. Improper function / use / 
connection of components 
mentioned at left 

B. Various 

D. Visual or functional 
discrepancy of equipment and / 
or its components 

E. Repair or replacement of 
faulty part / apparatus 

F. Varying 

G. Yet to be determined 


□ Loss of 
confidence in 
equipment 
indication / 
operation 


□ Possible failure 
cause in function / 
use / operation of 
equipment or 
system 


0 Possible factor 
in equipment 
downtime and / or 
life expectancy 


Possible effects 
include minor to 
severe personnel 
risks, system 
component failure, 
system failure 








APPENDIX C 


Barrier Analysis for the MSFC Project 



Personnel 



Personnel 


Personnel 


Personnel 


Back Injury 


Oxygen Bottle 
Explosion 


Eye Injury 


Bum Injury 


Foot Injury 


Training on general 
safe lab practices 


Training on proper 
handling of 
compressed gas 
cylinders 


Training on use of 
personal protection 
equipment , 
required to wear 
safety glasses 

Ceramic cup to 
catch slag 

Training on use of 
personal protection 
equipment , 
required to wear 
safety shoes 


Incorrect posture 
used 


Occasional 
violation of 
handling procedures 


Intermittent 
violation of PPE 
requirements 

Used for all testing 
operations, emptied 
intermittently 

Intermittent 
violation of PPE 
requirements 
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c Control Chart Data for the MSFC Project 
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Weighted Control Chart Data for the MSFC Project 
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EWMA Control Chart Data for the MSFC Project (A =0.4, L = 3.054) 
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Hazardous 

Conditions 

Hazard 

Cause 

Hazard Effect 

Safety/ 

Engineering 

Requirements 

Hazard Elimination 
Control Provisions 


Fire/Explosion 
resulting in injury 
or death to 

Human ? eTS0 ™' and 

1. Non-hazard proof Error ossofor 

electrical equipment (Failure to Carnage to flight 

follow SOP)* ardwar ?' 

Ground Support 

Equipment 

(GSE), and 

facility. 

Fire/Explosion 
resulting in injury 
Manufactur or death to 

2. Hose rupture of er personal and 

GSE leak. defect/hose loss of or 

life damage to flight 

hardware, GSE, 

and facility. 


Lock out and tag out 
all non-hazard proof 
non-electrical 
equipment 


High Pressure Gas Tanks 
test work authorization 
procedures (WAP) 
contain steps requiring a 
walk down to verify that 
all electrical equipment 
has been locked out and 
tagged. 


Meet minimum 
calibration 
requirements as 
specified by the 
manufacturer. 


. Adiabatic 


Humane 

Error 

(Failure to 


ompression/Overt follow 


OMSRD 

Requireme 

nts) 


Fire/Explosion 

resulting in injury 

or death to Mee ! OMRSD 

personal and requirements define 

loss of or the . ,. 

damage to flight Pressurization/depre 

hardware, GSE, ssur.zat.on rates 
and facility. 


Fire/Explosion 
resulting in injury 

4. Accelerated ^ or death to 

Particle Design personal and 

velocity/cleanliness De,icienc '' '““Of or 

damage to flight 

hardware, GSE, 
and facility. 


IPRUA cleaned to 
Bevel 100A per KSC- 
SPEC-C-123. 


Valid proof test and 
calibration certification 
shall be verified prior to 
hazard operations. WADs 
shall contain steps that 
verify that the proof test 
and calibrations are 

current. 

Limit 

pressurization/depressuri 
zation at 50 psi/sec. The 
addition of an orifice 
restricting the flow rate of 
the Pressure Regulating 
Unit Assembly (PRUA). 
Monitor and control tank 
temperatures during fill 
operations keeping temp, 
below 115 F. Incorporate 
monitoring requirements 

into WAD. 

Addition of three 10- 
micron filters one in the 
inlet side of the PRUA, 
one is internal to the 
PRUA and one connected 
to the HPGTs inlet supply 
valve. Samples will be 
taken to verify oxygen 
cleanliness prior to and 
after HPGTs servicin 
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Hazardous 

Conditions 

Hazard 

Cause 

Hazard Effect 

Safety/ 

Engineering 

Requirements 

Hazard Elimination 
Control Provisions 


5. Structural Failure 


Manufac- 
turer defect 


Rupture/Damage 
of High Pressure 
Gas Tanks 
(HPGTs) could 
result in injury or 
death to 
personnel and 
loss of or 
damage to flight 
hardware, GSE, 
and facility. 


Meet minimum 
calibration 
requirements as 
specified by the 
manufacturer. 


Human 

Error 

(Failure to 
follow SOP) 


Damage to 
PRUA could 

result in injury or Design of SOP to 


death to 
personnel and 
loss of or 
damage to flight 
hardware, GSE, 
and facility. 


meet applicable 
NASA operational 
and safety 
requirements. 


Possible damage 
or rupture of a 
HPGTs. 

Human Resulting in 
Error injury/death to 
(Failure to personnel and 
follow SOP) loss of or 

damage to flight 
hardware, GSE, 
and facilit 


Perform receiving 
inspection on the tanks 
upon arrival at KSC prior 
to testing to verify tank 
integrity. Review of 
receiving inspection and 
test WADs to verify no 
damage occurred prior to 
arrival at KSC. 

No critical failure points or 
failure modes have been 
identified in Systems 
Assurance Analyses that 
would result in over 
pressurization of GSE. In 
the event of a failure, 
personnel will be in 
position to turn off the gas 
supply valve. Train 
personnel in the hazards 
related to high-pressure 
gas systems. Utilize a 
remote control valve at 
the gas supply. 


Certification of 
cranes and lifting 
equipment in 
accordance to 
NSS/GO 1740.9. In 
addition, load tested 
and operational 
tested and certified. 


Perform walk downs, 
inspections and functional 
test prior to operation. 








Hazardous 

Conditions 


Hazard 

Cause 


Hazard Effect 


Safety/ 

Engineering 

Requirements 


Hazard Elimination 
Control Provisions 


8. Impact with other 
structures. 


Human 

Error 

(Failure to 
follow SOP) 


Possible damage 
or rupture of a 
HPGT. Resulting 
in injury/death to 
personnel and 
loss of or 
damage to flight 
hardware, GSE, 
and facility. 


If crane is at a 
distant greater than 
10 inches from a 
structure operation 
speed has to be less 
than 2 in./min. 

Within 10-in. operate 
less than 1 in./min. 


Operators will posses a 
valid operator’s license, 
which is verified in the 
WAD. Perform a pre-test 
briefing shall be held prior 
to lifting operations and 
personnel will be advised 
of their specific task and 
the hazards involved. A 
controlled area shall be 
established for all lifting 
operations and cleared of 
all nonessential 
personnel. 
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rubing / 
rransport 
Dxygen from 
?RUA to HPGT 


gnition 


Non-hazard 
proof electrical 
equipment / No 
function 


lectrical 

rcing 


RUA/ 

Regulate 

Pressure 


Communications 
luring hoisting 
operations 


r ire/Explosion 

Striking a valve 

Five 10 Micron 

Continue to use 

esulting in injury 

body just 

filters remove 

five 10 Micron 

>r death to 

downstream of the 

particulates. 

filters remove 

►ersonal and loss 
>f or damage to 
light hardware, 
jround Support 
equipment (GSE), 
nd facility. 

control element of 
the valve can cause 
Particulate Impact 
ignition caused by 
the exposure of un- 
oxidized metal 
surfaces. 


particulates. 



ire/Explosion 
esulting in injury 
>r death to 
►ersonal and loss 
►f or damage to 
light hardware, 
jround Support 
Equipment (GSE), 
nd facility. 


.esulting in injury ! 
r death to 
ersonal and loss 
f or damage to 
ight hardware, 
rround Support 
Equipment (GSE), 
nd facility. 


Short circuit and arc 1 
hrough its sheath to < 
he oxygen gas. I 
Human Error i 
^Failure to follow < 
SOP). 


>ock out and tag 
>ut all non- 
lazard proof 
Lon-electrical 
quipment. 


es and 

egulators preclude 
low rates. Age of 
equipment 



Lccident resulting 
1 injury to 
ersonal and loss 
f or damage to 
Light hardware, 
hound Support 
quipment (GSE). 


Human Error 
(Failure to follow 
SOP) 


Tested with 

High-pressure 

oxygen. 

Designed and 
certified SSP 
500004. The 
GOX supply 
source is 
external to the 
building and 
capable of 
isolation with a 
remote shut-off 

valve. 

System layout 
allows direct 
verbal and visual 
communications. 
All operators are 
together, none 
located 
remotely. 
Communications 
with other O & 

C will be 
established. 


High Pressure 
Cas Tanks test 
vork 

luthorization 
)rocedures 
WAD) contain 
;teps requiring a 
valk down to 
/erify that all 
dectrical 
quipment has 
)een locked out 
md tagged. 


Jse a portable 
Vmonitor 
system to detect 
oxygen levels. 





'ire/Explosion 
esulting in injury 
r death to 
ersonal and loss 
)f or damage to 
light hardware, 
jround Support 
equipment (GSE), 
md facility. 


Drifxces and 
regulators preclude 
flow rates. Age of 
Equipment. 


The GOX supply 
source is 
external to the 
building and 
capable of 
isolation with a 
remote shut-off 
valve. 


mpact with Possible damage Human Error 
>ther structures, or rupture of a (Failure to follow 
HPGT's. Resulting SOP) 
in injury/death to 
personnel and loss 
of or damage to 
flight hardware, 

GSE, and facility. 


If crane is at a 
distant greater 
than 10 inches 
from a structure 
operation speed 
has to be less 
than 2 in./min. 
Within 10-in. 
operate less than 
1 in./min. 



193 






Resulting in injury 
or death to 
personal and loss 
of or damage to 
flight hardware, 
GSE, and facility. 


Dvertemp due to 
ligh pressurization 
rates. Worst case 
Dressure/flows 
misunderstood and 
inadequately 
iddressed. 
Calibration of 
measurement 
systems. 


Pressurization 
rates describe of 
40 ft/sec well 
below the WTSF 
recommended 
threshold of 150 
ft/sec for 
stainless steel. 
Pressurization 
Rates preclude 
over-temp. 
Procedure 
defines "slow 
openings" at the 
valves and 
regulators. 


Limit 

pressurization/d 
epressurization 
at 50 psi/sec. 
The addition of 
an orifice 
restricting the 
flow rate of the 
Pressure 
Regulating Unit 
Assembly 
(PRUA). 
Monitor and 
control tank 
temperatures 
during fill 
operations 
keeping temp 
below 115 F. 
Incorporate 
monitoring 
requirements 


PGT/ Store 
xygen 


LJnder- 

Dressurization 


ission Failure 


alibration of 

All systems are 

Inspect 

leasurement 

controlled by 

calibration 

^sterns. 

SPP-M-05, 

stickers during 


Repeatable 

final walk 


maintenance 

recall 

systems/calibrati 
on support. 

down. 


PGT/ Store 
xygen 


lupture 



PGT/Store Ignition 
xygen 


neumatic 

mpact 


ire/Explosion 
resulting in injury 
or death to 
personal and loss 
of or damage to 
flight hardware. 
Ground Support 
quipment (GSE), 
and facility. 


Adiabatic 
Compression 
Release of 
nechanical strain 


Orifices and 
regulators 
preclude flow 
rates, which 
cause adiabatic 
compression. 
Concrete block 
walls and 
housing further 
shield other 
flight hardware 
from this 
overpressure 


Continue to use 
Orifices and 
regulators 
preclude flow 
rates, which 
cause adiabatic 
compression. 
Pressure relief 
valves set at 
110% max fill 
pressure. Valid 
proof test and 
calibration 
certification 
shall be verified 
prior to hazard 
operations. 
WADs shall 
contain steps 
that verify that 
the proof test 
and calibrations 
are current. 
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HPGT/Store 

Oxygen 

Ignition by 
mechanical 
impact 

Fire/Explosion 
resulting in injury 
or death to 
personal and loss 
of or damage to 
flight hardware, 
Ground Support 
Equipment (GSE), 
and facility. 

It has been 
determined for 
several aluminum 
alloys that the 
minimum energy to 
induce sample 
fracture was less 
than or equal to the 
minimum energy 
required to induce 
ignitions by 
mechanical impact. 
Mechanical impact 
testing of 
contaminated 
surfaces in oxygen 
indicates an 
increase in 
mechanical impact 
sensitivity 
(Springer, 1975). 

System layout 
allows direct 
verbal and visual 
communications. 
All operators are 
together, none 
located 
remotely. 
Communications 
with other O & 

C will be 
established 

If crane is at a 
distant greater 
than 10 inches 
from a structure 
operation speed 
has to be less 
than 2 in./min. 
Within 10-in. 
operate less than 
1 in./min. 
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Steel Barriers 




ifgggii 

All personnel exposed to GOX leaks shall remain 
isolated from ignition sources for at least 30 min. 

Human Barrier 

Human Failure 

Tube-bank operator shall wear face shield and 
antistatic clothing while operating valves. 

Human Barrier 

Technical Failure 

All hose connections leak checked prior to usage. 

Human Barrier 

Technical Failure 

Constantly monitoring pressure an temperature during 
servicing operations. 

Technical Barrier 

Technical Failure 

Visually monitoring pressure and temperature during 
filling operations. _____ 

Human Barrier 

Technical Failure 

Supervising the proper performance of the Standard 
Operating Procedures (SOPs). 

Human Barrier 

Human Failure 

Walk downs, inspections and functional tests prior the 
hoisting/lifting of the HPGTs. 

Human Barrier 

Technical Failure 


Paj^rB^^m 



wmsmsssm 

mmsm mm 

All emergency lightning, exits signs, alarm bells, etc. 
within the control areas are required to remain active 
during hazardous operations. 

Technical Barrier 

Technical Failure 

All personnel supporting hazardous oxygen operations 
shall be trained on the hazards involved in the 
operations and the proper handling of oxygen. 

Human Barrier 

Human/ Technical 
Failure 

The Center Materials Representative for oxygen 
compatibility shall approve all materials used in 
conjunction with oxygen. 

Technical Barrier 

Technical Failure 

A 10-foot control area shall be established around the 
stored pressurized tanks. 

Organizational Barrier 

Technical Failure 
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Failure to Adhere to 
Standard Operating 
Procedure (SOP). 

Reaching to Hoist 
HPGT. 

Hose/tubing located in 
high-traffic area. 

Personnel not wearing 
Draper Personal 
3 rotective Equipment 
(PPE). 

Protective coverings 
askew/leaking/corroded. 

Operators engaging in 
practices that divert 
their attention while 
operating a Hoist. 

Misreading of portable 
oxygen monitor. 

Personnel limitation for 
a test cell exceeded. 

Personnel located 
under suspended or 
moving loads. 

Instrumentation 
calibration not done on 
regular scheduled 
intervals. 

Discrepancies in gauge 
readings. 


Over pressurization of 
HPGTs. 

Under pressurization of 
HPGTs. 

Spacing from such 
structures is less than 1 
foot preventing 
maintenance. 


Temperature exceeds 
preset limits. 

i i. _ r _ x. x. -.Li- 

Flow rates exceed 
preset limits. 

1 1 It 

Abnormal noise. 



tanks. 

Malfunctions in 
compressor and pump 
resulting in ignition and 
fire. 


est being conducted 
less than 3 m (10 ft) 
from any opening in 
walls of adjacent 
tructures. 


ontaminants in oxygen 
tank components. 


Failure to establish 
safety zones with 
appropriate barriers 
(rope, cones, etc.) prior 
to lift. 



est being conducted Releasing GN2 into the 
less than 15.2m (50ft) O&C. 
from solid materials that 
burn rapidly, such as 
xcelsior or paper. 
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Tanks not tested in an 
adequately vented 
building. 

Introduction of a non- 
hazard proof electrical 
equipment. 



Testing in a building of 

noncombustible 

construction. 

Failure of crane or lifting 
support equipment. 



Leak checks not 
performed or performed 
incorrectly. 

Crane inspections not 
conducted prior to first 
use each day. 



Oxygen tanks not stored 
above ground. 

Sudden start or stop of 
crane causing the load 
to swing out of radii at 
which it can be 
controlled. 



Failure to check 
calibration stickers of 
measurement 
equipment. 

Hook not centered over 
the load to prevent 
swinging. 



Not opening valves and 
regulators as stated in 
operation procedures 
"open slowly". 

Multiple parts of the 
rope are twisted around 
each other. 



Exposure of oxidized 
metal surface. 

Hoist rope is kinked 
before starting to hoist. 



Tanks not secured 
during transportation. 

Miscommunication of 
hand signals. 



Pressure/flows 
misunderstood and 
inadequately 
addressed. 

An operator not on hoist 
controls at times while a 
load is suspended. 



Tank impact with other 
structures. 

Decalibration of 
measurement systems. 



Failure to perform all 
hoist functions in an 
unloaded condition. 




Crane brake failure. 




Operator continuing 
operation after 
communication loss. 




Operator not examining 
the hoists tag(s) and/or 
appropriate 
documentation to 
ensuring that the hoist is 
within inspection and 
periodic certification 
intervals. 




Uncertified personal 
using an installed, fixed 
air, or electric powered 
hoists systems. 
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